I am in the process of answering a question regarding the differences between these terms on a forum I frequent (Tek-Tips).  I thought the content of what I came up with might make a good entry for my blog.  It is not as easy as one might think to always tell the difference between them and the lines grow more blurry every day.  Here is what I have come up with:

I'd like to start with a link to what I believe to be one of the better pages at describing these various terms:

Symantec Takes Away Some of the Confusion

While Symantec does a pretty solid job, the largest confusion for me (and most) is the difference between a "Virus" and a "Worm".  "Trojan Horse" is easy in that it doesn't replicate itself and it is usually passed off as some kind of program that is either harmless or useful in some way, but is designed to do something completely different and usually malicious.  "Virus Hoax" is also easy in that whatever file is being deemed a virus is not a virus at all, and more often than not it is a critical system file that the hoaxer is trying to get you to delete or otherwise destroy.

So what is the difference between a "Virus" and a "Worm"?  Symantec's explanation is still a little muddled for my taste.  You kind of have to read between the lines on what they said.  For me it is like this:

Worms propagate themselves from machine to machine.  Traditionally worms did not destroy or otherwise damage files or hard drives (though many have since begun to carry payloads) on the user's machine/server and would delete itself from the previous hosts as it moved from system to system (which is very much like a worm moving through the ground or an apple).  They (worms) would just eat up system/network resources as it looked for other systems to move to (there again, this was before these nasty little buggers started carrying payloads).  They can and most of the time do reside completely in memory.

Viruses (virii if you prefer) on the other hand are designed to infect files and hard drives on the machine where they reside.  They do not move from machine to machine without some human intervention.  They instead move (on their own) from file to file or drive to drive within the host machine.  Viruses also carry a malicious payload.  The two litmus tests that all programs must pass to be considered a virus are: it must execute itself and it must replicate.  Now, the "execute itself" part is often done by inserting itself into a host file/process so that when the file/process gets executed so does the virus code.

So what was Symantec trying to say in that link I posted above... when they were talking about the "host file" as a significant difference between viruses and worms?  Well, a virus attaches itself to/infects another process/program/file while a worm is the process/program/file (even if a worm resides within a document, the entire file is to be considered the worm as the document was created for the express purpose of hosting/transporting the worm).

So why do the lines between the terms Trojan Horse, Virus, and Worm get so muddled?  Well consider the following:

A virus that spreads itself via email without actually delivering the payload.  It is spreading across a network and is not infecting files or drives of the host system (yet) but is indeed moving from machine to machine, so it's a worm.  Now let's take that a step further in saying that the email has a line in it that says "Open the attachment to receive the newest patch for Windows Media player" and the attachment is really the means by which this virus (err... worm) is moving from machine to machine.  Now we have a Trojan Horse... because it says it is a good patch that we need and yet does something entirely different than what we expect.  So now we have a virus, that is really a worm that is also a Trojan Horse and once it executes itself, delivers the payload, and begins to replicate on a user's machine it is no longer a worm or a Trojan Horse, it is a virus (round and round we go).

As I said, the lines get increasingly blurry as the days wear on.  However, I for one believe that we (computer users everywhere) are on the upswing when it comes to these problems.  Yes, I realize that the problem is considered more pervasive than ever, but it is no longer hopeless.  Antivirus programs, spyware removal/prevention programs, and their related cousins are beginning to turn the tide in my opinion.  They are increasingly good at the important job they perform.  Also, users have become more cognizant of the threat and thus have become more likely these days to use one of the aforementioned prevention/detection/removal programs.  So I'm hopeful and optimistic.  For me the light at the end of the tunnel on problems such as these (don't even get me started on SPAM) is not created by more regulation and laws, but instead shines most bright when it is combatted with superior technology, education, and people who have decided that enough is enough.