The correct answer is B. Worm because the defining behavior described is self-replication and autonomous propagation across multiple systems without requiring additional user interaction after the initial infection. In CEH-aligned malware classifications, a worm is a standalone malicious program that can spread automatically over networks by copying itself to other hosts. Worms commonly leverage shared resources (such as shared folders), weak configurations, and credential weaknesses (such as weak administrative passwords or credential reuse) to move laterally and infect additional machines at scale.

The scenario includes multiple classic worm characteristics: (1) only one workstation is initially targeted, (2) the malware then “automatically copies itself into shared folders,” and (3) it spreads using “weak admin credentials,” resulting in rapid infection of “dozens of computers.” That pattern fits worm propagation mechanisms such as exploiting administrative shares, remote execution through obtained credentials, and leveraging network-accessible paths to drop copies of itself. The key discriminator is automation: after initial placement, the malware does the rest, scanning for reachable systems or shares and replicating to them without needing a user to click attachments or run the payload again.

Why the other options are not correct: a logic bomb is typically dormant code that triggers a malicious action when a specific condition or time is met; it is not defined by self-propagation. A backdoor provides unauthorized access for later control, but it does not inherently replicate across the network on its own. Fileless malware emphasizes execution primarily in memory using legitimate tools (e.g., PowerShell/WMI) and minimal disk artifacts; while fileless techniques can be used for lateral movement, the scenario’s emphasis is on the malware copying itself into shared folders and spreading widely, which is the hallmark of a worm.

Therefore, Sophia is most likely demonstrating a worm.