The payloads of a malware are designed to achieve a goal – they are not there on a whim. In system analysis and design, the first step in the so-called software development life cycle is determining problems and requirements. I dare say that malware developers take a different step, or rather, a different view on that first step. The first step is to knwo what is the goal, or what are the goals, that a malware should achieve in the end. Hence, each payload has a goal to achieve.

Take for example Agobot worms. For reference, read Trend Micro’s description on WORM_AGOBOT.AAA. Let’s ask a few questions, and I will try to answer them tomorrow.

There are several propagation methods available. Why did the author choose network shared folders and Windows vulnerabilities as means of propagation? WHy does it terminates processes? Why does it modifies the HOSTS file?