WØRM is an educational, self-replicating Python script that mimics worm-like behavior by repeatedly copying itself into user-accessible directories on the system. It is designed as a safe sandbox tool to study malware architecture, replication strategies, and defensive thinking without any malicious payload.
⚠️ Educational use only. Do not run this outside controlled environments or without explicit permission on the host system.
- Self-replicating Python script that copies its own file into randomly chosen user-safe directories using standard file operations.
- Background execution on Windows by hiding the console window through the Windows API while logging activity to a desktop log file.
- Dedicated
kill_switch.pyutility that locates and terminates running worm instances by inspecting active Python processes usingpsutil. - Designed as a hands-on learning tool for understanding offensive techniques to inform better defensive strategies.
WØRM.py:- Displays an introductory banner, sets up logging, and then hides the console window on Windows systems.
- Enters an infinite loop where it chooses a directory from candidate locations (such as the user home tree) and copies its own script there with a timestamped filename, pausing for a configurable delay between replications.
kill_switch.py:- Provides an interactive terminal interface that allows selecting a target script name (default:
WØRM.py). - Scans active processes using
psutiland terminates any Python processes whose command line includes the target script, excluding the kill switch itself.
- Provides an interactive terminal interface that allows selecting a target script name (default:
- Python 3.8+ recommended.
- Operating system:
- Windows: full experience (console hiding plus replication behavior).
- Linux/macOS: replication logic works, but console hiding is Windows-only.
- Python dependencies:
- Standard library:
shutil,time,logging,os,ctypes,pathlib,random. - Third-party:
psutilfor process inspection and termination.
- Standard library:
Install psutil with:
pip install psutilRun this only in a test environment or sandbox where repeated file replication is acceptable.
- Clone the repository:
git clone https://github.com/<your-username>/<your-repo-name>.git
cd <your-repo-name>- Start the worm simulator:
python WØRM.py- A banner will appear, followed by a short countdown.
- After initialization, the window may hide (on Windows), and the script will begin replicating itself periodically into selected directories.
- Stop the worm using the kill switch:
python kill_switch.py- Accept the default target (
WØRM.py) or provide a custom filename if needed. - The utility will scan running processes and terminate matching Python instances that are executing the target script.
- Cleanup reminder:
- After stopping the processes, manually review and remove the replicated files from the directories if you want a clean system state.
To help visualize the impact of unbounded replication, the demonstration of a drive filling up over time.
Planned enhancements include:
- Multithreaded replication to explore performance and concurrency issues.
- A safe, automated cleanup routine that removes replicated copies via a dedicated “cleanup mode” or integrated kill-switch enhancement.
- A C-language implementation to study lower-level performance characteristics and contrast with Python behavior.
This project welcomes contributions, feedback, and collaboration ideas, especially around:
- Safer sandboxing techniques and defensive tooling built around this simulator.
- Additional analysis utilities, visualizations, or monitoring hooks.
- Experiments in alternative replication strategies or detection methods.
If you have ideas for extending this work or want to collaborate on related offensive–defensive research tooling, feel free to open an issue or submit a pull request.
This project is licensed under the MIT License © 2025 Burhanuddin.
See the LICENSE file in this repository for the full license text and terms of use