Virus Glossary of Technical Terms

Virus Glossary of Terms
Technical terminology used in virus alerts and descriptions can be confusing. Use this glossary whenever you come across a term you don't understand. Clicking on one of the following button will take you to the start of that section. This glossary is taken from 4 different sites and compiled into the one that you see here. If you have any additional terms that you wish added then send me an .

@m
Signifies the virus or worm is a "mailer". An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.
@mm
Signifies the virus or worm is a "mass-mailer". An example is Melissa, which sends messages to every email address in your mailbox.
Activation Condition (Trigger)
This indicates the circumstances under which the virus goes into action. These conditions can be the following: when the date or time stamp matches a certain condition, when users carry out certain actions...etc. Therefore, it is the condition that triggers the payload of viruses.
Active X
ActiveX controls are software modules based on Microsoft's Component Object Model (COM) architecture. They add functionality to software applications by seamlessly incorporating pre-made modules with the basic software package. Modules can be interchanged but still appear as parts of the original software.
On the Internet, ActiveX controls can be linked to Web pages and downloaded by an ActiveX-compliant browser. ActiveX controls turn Web pages into software pages that perform like any other program launched from a server.
ActiveX controls can have full system access. In most instances this access is legitimate, but one should be cautious of malicious ActiveX applications.
ADSL (Asymmmetric Digital Subscriber Line)
This is a type of Internet connection that uses cable or telephone lines to provide fast data transfer (even faster than RDSI connections).
Alias
An alias is an alternate name for a virus. On some occasions virus aliases can get even more popular than original virurs names. An example of this is the well-known I love you virus, which was originally named as Love Letter
It is important not to confuse an alias witth a variant. The alias is just an alternate name for a virus, whereas variants are modified versions of a virus. Variants usually have the same name as the orginal virus but with different suffixes (Marker.A, Marker.B,...). For instance, Love Letter and I Love you are in fact the same virus, whereas LoveLetter.B and LoveLetter.M are two different variants of the LoveLetter virus.
Algorithm
A sequence of steps needed to solve logical or mathematical problems.
Certain cryptographic algorithms are used to encrypt or decrypt data files and messages and to sign documents digitally.
ANSI (American National Standards Institute)
This is an organization that administers and coordinates the U.S. standardization and conformity assessment system. The most well-known standards created by this organization include the ASCII code (American Standard Code for Information Interchange) and the SCSI interface.
Anti-antivirus Virus
Anti-antivirus viruses attack, disable or infect specific anti-virus software. See also: Retrovirus
Anti-virus Software
Anti-virus software scans a computer's memory and disk drives for viruses. If it finds a virus, the application informs the user and may clean, delete or quarantine any files, directories or disks affected by the malicious code. See also: Anti-virus scanner
Antivirus Virus
Antivirus viruses specifically look for and remove other viruses.
API (Application Programming Interface)
An API is a method or property of some operating systems (Windows API, for instance) by which a programer can make requests of the operating system or another application.
Applet
Any miniature application transported over the Internet, especially as an enhancement to a Web page. Authors often embed applets within the HTML page as a foreign program type.
Java applets are usually only allowed to access certain areas of the user's system. Computer programmers often refer to this area as the sandbox.
Armored Virus
An armored virus tries to prevent analysts from examining its code. The virus may use various methods to make tracing, disassembling and reverse engineering its code more difficult.
ASCII (American Standard Code for Information Interchange)
Usually refers to coding system that assigns numerical values to characters such as letter, numbers, punctuation, and other symbols.
Basic ASCII allows only 7 bits per character (for a total of 128 characters). The first 32 characters are "unprintable" (line feed, form feed, etc.). Extended ASCII adds an additional 128 characters that vary between computers,programs and fonts. Computers use these extra characters for accented letters, graphical characters or other special symbols.
ASCII Files
ASCII files are usually text files consisting of only ASCII characters. With effort, it is possible to write program files consisting only of printable characters (See: EICAR Standard Anti-virus Test File). Windows batch (BAT)files and Visual Basic Script (See Also: Batch Files, VBS)files are also typically pure text, and program files.
Because of the danger macro viruses can pose, using ASCII files in e-mail communications may by less risky. While it is possible for ASCII files to contain program code, and thus to contain viruses, ASCII files let you control both content and layout exactly, ensuring your e-mail is legible by the most e-mail programs.
ASP (Active Server Page)
Most pages on the Internet are created in the HTML programming language. However, there are some other pages created in other languages like ASP. On the one hand, HTML pages are loaded and processed straight on the computer of the user visiting the page in question. On the other hand, ASP pages are processed or handled on a Microsoft Web server before the users actually load them onto the computer. This means that ASP pages are in fact used in Microsoft Internet Information Servers. These include small programs that are run on the server rather than on the user's computer. This way, it is possible to customize them to the user's liking.
Each of these pages correspond to files with ASP extension. These consist of HTML code where Visual Basic Script or JavaScript commands are included, which allow the pages to work dynamically (DHTML). The final result of the execution of these pages on the server is a HTML page that users can view on their computers.
Attack
An attempt to subvert or bypass a system's security. Attacks may be passive or active. Active attacks attempt to alter or destroy data. Passive attacks try to intercept or read data without changing it. See Also: Brute Force Attack, Denial of Service, Hijacking, Password Attacks, Password Sniffing
Attributes
Characteristics assigned to all files and directories. Attributes include: Read Only, Archive, Hidden or System.
Back Door
A feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk. See also: Trapdoor.
Back Orifice
Back Orifice is a program developed and released by The Cult of the Dead Cow (cDc). It is not a virus; it is a remote administration tool with potential for malicious misuse. If installed by a hacker, it has the ability to give a remote attacker full system administrator privileges to your system. It can also 'sniff' passwords and confidential data and quietly e-mail them to a remote site. Back Orifice is an extensible program--programmers can change and "enhance" it over time. See also: Password Sniffing
Background Scanning
A feature in some anti-virus software to automatically scan files and documents as they are created, opened, closed or executed.
Background Task
A task executed by the system but generally remain invisible to the user. The system usually assigns background tasks a lower priority than foreground tasks. Some malicious software is executed by a system as a background task so the user does not realize unwanted actions are occurring.
Batch Files (BAT files)
Batch files are characterized by having a BAT extension. These are text files that contain MS-DOS commands, one on each line of the file. When such files are run, each one of the lines it contains is executed in sequential order. A very important file of this type is AUTOEXEC.BAT, which is always found in the root directory of the hard disk and is executed automatically whenever the computer is booted, thereby loading a series of controls and programs.
Backup
n. A duplicate copy of data made for archiving purposes or for protecting against damage or loss.
v. The process of creating duplicate data. Some programs backup data files while maintaining both the current version and the preceding version on disk. However, a backup is not considered secure unless it is stored away from the original.
Bimodal Virus
A bimodal virus infects both boot records and files. Also: Bipartite; See Also: Boot Sector Infector, File Virus, Multipartite
BIOS (Basic Input/Output System)
The part of the operating system that identifies the set of programs used to boot the computer before locating the system disk.
The BIOS is located in the ROM (Read Only Memory) area of system and is usually stored permanently.
BIT
Bit is the smallest unit of data information in computer systems. Its value can be either 0 or 1. In a way, it can be compared to an electric signal that can only have two voltage values: active (1) and inactive (0). All the data used in computers is coded in in bits (0 and 1). However, computers are normally desgined to store data in bit multiples called Bytes B (8 bits), Kilobytes - KB (1024 Bytes), Megabytes - MB (1024 Kilobytes), or Gigabytes - GB (1024 Megabytes).
Boot
To start (a cold boot) or reset (warm boot) the computer so it is ready to run programs for the user. Booting the computer executes various programs to check and prepare the computer for use. See Also: Cold Boot, Warm Boot
Boot Record
The program recorded in the boot sector. This record contains information on the characteristics and contents of the disk and information needed to boot the computer. If a user boots a PC with a floppy disk, the system reads the boot record from that disk. See Also: Boot Sector
Boot Sector
An area located on the first track of floppy disks and logical disks that contain the boot record. Boot sector usually refers to this specific sector of a floppy disk, whereas the term Master Boot Sector usually refers to the same section of a hard disk. See Also: Master Boot Record
Boot Sector Infector
A boot sector infector virus places its starting code in the boot sector. When the computer tries to read and execute the program in the boot sector, the virus goes into memory where it can gain control over basic computer operations. From memory, a boot sector infector can spread to other drives (floppy, network, etc.) on the system. Once the virus is running, it usually executes the normal boot program, which it stores elsewhere on the disk. Also: Boot Virus, Boot Sector Virus, BSI.
Bug
A bug is a coding error in a program. Viruses are programs and consequently can have bugs. This means that the actions that the virus was initially coded to carry out might not take place if a bug is found in the viral code.
Byte
A byte is the unit that makes it possible to measure data and storage capabilities. To be more precise, a byte is a unit of data that is eight binary digits long. Consequently, a Byte - B contains 8 bits, a Kilobyte contains 1024 Bytes, a Megabyte - MB contains 1024 Kilobytes and a Gigabyte - GB contains 1024 Megabytes.
Brute Force Attack
An attack in which each possible key or password is attempted until the correct one is found. See also: Attack
BSI
See: Boot Sector Infector
Cache
This is a small section that corresponds to the computer memory. It is usually a place to store something temporarily. Its function it to increase the processing speed of the computer. To do this, a copy of the most recently accessed data is stored for fast access.
Category / Type
All viruses are not the same. In fact they can be divided into different categories or types according to the way they spread, infect or according to the actions they carry out. There are several virus categories: Boot, Macro, Polymorphic, Worms, Trojans, Resident,..., etc. Some viruses may belong to just one of these types, whereas others might be part of several virus categories.
Cavity Virus
A cavity virus overwrites a part of its host file without increasing the length of the file while also preserving the host's functionality.
Checksum
An identifying number calculated from file characteristics. The slightest change in a file changes its checksum.
Circular Infection
A type of infection that occurs when 2 viruses infect the boot sector of a disk, rendering the disk unbootable. Removing one virus will generally cause a re-infection with the other virus. See also Boot Sector or MBR virus.
Clean
adj. A computer, file or disk that is free of viruses.
v. To remove a virus or other malicious software from a computer, file or disk. See also: Disinfection.
Cluster Virus
Cluster viruses modify the directory table entries so the virus starts before any other program. The virus code only exists in one location, but running any program runs the virus as well. Because they modify the directory, cluster viruses may appear to infect every program on a disk. Also: File System Virus
CMOS (Computer Metal Oxide Semiconductor)
This is a physical section of the main computer memory. Unlike RAM (Random Access Memory), it uses a battery, located in the mother board, as a power supply. This means that if the computer is disconnected, the content of the CMOS memory remains. This is the reason why the CMOS memory contains the computer setup information, the date, and the time. Some viruses attempt to attack this type of memory. If they managed to delete its content the effects caused would be highly destructive and it would be necessary to install a new CMOS memory containing the corresponding information.
Cold Boot
To start the computer by cycling the power. A cold boot using a rescue disk (a clean floppy disk with boot instructions and virus scanning capabilities) is often necessary to clean or remove boot sector infectors. See Also: Boot, Warm Boot
COM File
A type of executable file limited to 64 kb. These simple files are often used for utility programs and small routines. Because COM files are executable, viruses can infect them. This file type has the extension COM.
Companion Virus
Companion viruses use a feature of DOS that allows software programs with the same name, but with different extensions, to operate with different priorities.Most companion viruses create a COM file which has a higher priority than an EXE file with the same name.
Thus, a virus may see a system contains the file PROGRAM.EXE and create a file called PROGRAM.COM. When the computer executes PROGRAM from the command line, the virus (PROGRAM.COM) runs before the actual PROGRAM.EXE. Often the virus will execute the original program afterwards so the system appears normal.
Compromise
To access or disclose information without authorization.
Cookie
Cookies are blocks of text placed in a file on your computer's hard disk. Web sites use cookies to identify users who revisit the site.
Cookies might contain login or registration information, "shopping cart" information or user preferences. When a server receives a browser request that includes a cookie, the server can use the information stored in the cookie to customize the Web site for the user. Cookies can be used to gather more information about a user than would be possible without them.
CRC (Cyclic Redundant Check)
All files have a number code that identifies them. This number is obtained as a result of certain mathematical operations for each of the existing files. If the file has been modified by a virus, the CRC will change. The antivirus program checks to see if the current CRC corresponds to the original one. If this is the case, it means that the file has been modified and this will have to be taken into account.
Damage Level
This value indicates to what extent the virus is capable of damaging computers. This value is therefore indicating how serious the consequences of infection can get to be.
Default Password
A password on a system when it is first delivered or installed.
Denial Of Service
An attack specifically designed to prevent the normal functioning of a system and thereby to prevent lawful access to the system by authorized users. Hackers can cause denial of service attacks by destroying or modifying data or by overloading the system's servers until service to authorized users is delayed or prevented. See also: Attack
Debugger
A program that permits you to edit and create other programs written in languages such as Assembly (not high-level languages). It also makes it possible to analyze internal file code.
Direct Action Virus
A direct action virus works immediately to load itself into memory, infect other files, and then to unload itself.
Disinfection
This is the action carried out by antivirus programs after detecting the presence of a virus. The virus is removed from the system and, whenever possible, any lost data is recovered.
Distribution Level
This refers to the number of computers that the virus is infecting (or has infected) as well as to its capability to propagate. This value is established according to the number of infection reports received as well as to the means of propagation used by the virus. Consequently, it will indicate how widespread the virus is.
DOC File
A Microsoft Word Document File. In the past,these files contained only document data, but with many newer versions of Microsoft Word, DOC files also include small programs called macros. Many virus authors use the macro programming language to associate macros with DOC files. This file type has the extension DOC.
DOS (MS-DOS)
This is the Disk Operating System used by Microsoft before Windows was developed.
Dropper
Droppers are executable files that contain viruses. When these files are run, the "dropper" releases the viruses it might contain. It is important to note that when an antivirus program scans this type of files no viruses will be detected, as the virus code is not created until the user runs the "dropper".
Dynamic Link Library (DLL)
This is a special type of file with a DLL extension. These files can be used by several programs at the same time. DLL files make it possible to create a code section that will be used by several programs. These libraries can be attacked by viruses.
EICAR (European Institute of Computer Anti-Virus Research)
The EICAR test is an antivirus test file (a small program 68 Bytes long) that makes it possible to study and check the functioning of antivirus progams. Although it is not a virus, it pretends to be so. When you insert it on a computer you can immediately find out if the antivirus program installed is working properly.
EICAR Standard Anti-Virus Test File
This text file consists of one line of printable characters; if saved as EICAR.COM, it can be executed and displays message: "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" This provides a safe and simple way of testing the installation and behavior of anti-virus software without using a real virus.
Encryption
This is one of the techniques used by some viruses to avoid detection by antivirus programs. Through this method, the virus encrypts (encodes) itself automatically upon carrying out an infection. Each time it infects it encrypts itself differently, so that its strings and code are never the same. This makes things much more difficult for antiviruses, as they will no longer be able to detect a particular virus by its telltale signature.
When the virus goes into action it decrypts itself (by means of an encryption key it used to encrypt itself) and then runs. When the virus decrypts itself it might be detected by the antivirus by detecting the routine that the virus uses to do this. However, the antivirus program can detect the encryption key (in the virus header) and then detect and neutralize the virus.
If the virus encrypts its code in a different manner each time it infects, it will be a polymorphic virus. This way, the virus signature changes each time. The problem that antivirus programs encounter is that they will have to search for different codes or strings each time.
Encrypted Virus
An encrypted virus's code begins with a decryption algorithm and continues with scrambled or encrypted code for the remainder of the virus. Each time it infects, it automatically encodes itself differently, so its code is never the same. Through this method, the virus tries to avoid detection by anti-virus software.
Exceptions
An alternative to the string search method is to search for exceptions. When a virus uses different strings from one infection to another, it becomes difficult to detect by means of the string search method. A specific solution is therefore created that enables the antivirus search engine to detect a particular virus.
EXE file
An executable file; as contrasted with a document or data file. Usually, executed by double-clicking its icon or a shortcut on the desktop, or by entering the name of the program at a command prompt. Executable files can also be executed from other programs, batch files or various script files.
The vast majority of known viruses infect program files. However, real-world infections by program-infecting viruses are much less common. See also: Program File
Executable Code
This represents instructions that are "executable" by the computer. These include COM, EXE, DLL and similar files. In a broader sense, executable code includes the code found in the disks' boot sector, batch files and even macros used by some applications.
Family / Group
All viruses can have different variants. This means that there can be viruses with certain characteristics, but also other viruses with the same or very similar characteristics. This virus and each of its variants a constitute what we call a family. For instance, the following are members of the Marker family of viruses: W97M/Marker.C, W97M/Marker.B
False Negative
. A false negative takes place when an antivirus does not detect a virus on an infected element. This might take place when a new virus enters the computer and the special detection techniques could not detect it.
False Positive
A false alarm takes place when an antivirus program detects a virus on an uninfected element. This can take place on certain occasions due to the use of special techniques to detect viruses.
Fast Infector
Fast infector viruses, when active in memory, infect not only executed programs, but also those that are merely opened. Thus running an application, such as anti-virus software, which opens many programs but does not execute them, can result in all programs becoming infected. See Also: Slow Infector
FAT
The under MS-DOS, Windows 3.x, 9x, and NT (in some cases), the FAT is located in the boot sector of the disk and stores the addresses of all the files contained on a disk. Viruses and other malicious programs, as well and normal use and extended wear and tear, can damage the FAT. If the FAT is damaged or corrupt, the operating system may be unable to locate files on the disk.
FDSK / MBR
If you have MS-DOS version 5.0 or later, the command FDISK /MBR can remove viruses which infect the master boot sector but do not encrypt it. Using this command can produce unexpected results and cause unrecoverable damage.
File, Archive, Document
This is where information is stored in a computer storage device i.e. the actual work carried out by a user (texts, images, databases, spreadsheets, etc.). Each file or document is given a name and is assigned an extension, a three-letter code that identifies the type of file in question. Some common extensions include EXE and COM (executable files, programs), TXT (text files) and DOC (Word documents).
File Virus
File viruses usually replace or attach themselves to COM and EXE files. They can also infect files with the extensions SYS, DRV, BIN, OVL and OVY.
File viruses may be resident or non-resident, the most common being resident or TSR (terminate-and-stay-resident)viruses. Many non-resident viruses simply infect one or more files whenever an infected file runs.
Also: Parasitic Virus, Fire Infector, File Infecting Virus
FTP (File Transfer Protocol)
This is a protocol used on the Internet to exchange files between computers on the Internet. This connection makes it possible to download files to your computer.
Firewall
A firewall prevents computers on a network from communicating directly with external computer systems. A firewall typically consists of a computer that acts as a barrier through which all information passing between the networks and the external systems must travel. The firewall software analyzes information passing between the two and ejects it if it does not conform to pre-configured rules.
Full Stealth Virus
In this case, ALL normal calls to file locations are cached while the virus subtracts its own length so that it appears clean. See also Stealth Virus.
Good Times
See: Virus Hoaxes
Heuristic Scan
This is a method or strategy designed to make it easier to solve problems. This method is applied automatically and it is based on common-sense rules drawn from experience. When it comes to antivirus progams, this is an additional type of scan used by some antivirus programs to detect new and unknown viruses.
Antivirus programs usually detect viruses by searching for a string that identifies them. However, heuristic scan (thus avoiding the string search) makes it possible to detect unknown viruses. Consequently, this type of scan makes it possible to detect suspicious code.
Hijacking
An attack whereby an active, established, session is intercepted and used by the attacker. Hijacking can occur locally if, for example, a legitimate user leaves a computer unprotected. Remote hijacking can occur via the Internet.
Hole
Vulnerability in the design software and/or hardware that allows circumvention of security measures.
Hoax
A Hoax is a notice about a nonexistent virus. These messages are usually sent out via e-mail in order to spread rumors about false viruses on the Internet.
Occasionally, Hoax warnings include technical words. On some other occasions, the names of some press agencies are mentioned in the heading of the warnings (CBS..). This way, the hoax author attempts to trick users into believing that they have received a warning about a real virus.
Host
This term refers to a computer that works as a source of information. This term is normally used when there are two computer systems connected by means of modems and telephone lines. The system that contains the data is the host, whereas the user's computer will be the remote terminal. A server will work as a host for its clients and we can even say that a desktop computer works as a host for its peripherals.
HTTP (HyperText Transfer Protocol
This is the underlying protocol used by the Internet. This protocol makes it possible to access hypertext documents created in HTML format. This means that HTTP allows users to view web pages through a web browser
Hyperlinks
also known as links, they may take on the form of text, images, buttons or sections of an HTML document (Web page). By placing the mouse pointer over them and clicking, the user will be taken to another page or a different section of the page he/she was already viewing.
IMAP (Internet Message Access Protocol)
This is the protocol used on the Internet to access e-mail messages. This makes it possible to access messages on other computers (remote servers), as if they were in the computer where the e-mail client is installed
A virus is "in the wild" if it is verified as having caused an infection outside a laboratory situation. Most viruses are in the wild and differ only in prevalence. Also: ITW; See Also: Zoo Virus
Infection
The action a virus carries out when it enters a computer system or storage device.
Injector
See: Dropper
Interrupt
This is the signal which is used to momentarily pause the functioning of the computer's microprocessor. When this happens, the processor temporarily ignores the operations it was performing in order to carry out the actions indicated by the interrupt in question. There is an established interrupt hierarchy so that the computer knows which one to accept first and which ones should interrupt other ones already in process. Once the processor has dealt with the interrupt, it continues with the initial action it was performing.
IP (Internet Protocol)
This is the number that identifies a computer on the Internet. It is like an ID code or a passport number. It consists of a set of four numbers (form 0 to 256) separated by dots. An example of this might be the following: 168.40.25.12. Knowing this number might be enough to access other computers remotely, as long as the right tool is used.
IRC (Internet Relay Chat)
An Internet service that makes it possible to partake in written conversations with other users connected to the same chat channel.
IRC Worm
These are executable files that modify SCRIPT.INI in order to enable the worm to distribute itself through IRC (chat application). These types of worms use programs like mIRC o Pirch to run.
Integrity Checker
A program that checks for changes to files. Integrity checkers, when used correctly, can provide an excellent second line of defense against new viruses and variants.
Java / Javascript
JavaScript is a scripting language that can run wherever there is a suitable script interpreter such as Web browsers, Web servers, or the Windows Scripting Host. The scripting environment used to run JavaScript greatly affects the security of the host machine:
A Web page with JavaScript runs within a Web browser in much the same way as Java applets and does not have accessto host machine resources.
An Active Server Page (ASP) or a Windows Scripting Host (WSH) script containing JavaScript is potentially hazardous since these environments allow scripts unrestricted access to machine resources (file system, registry, etc.) and application objects.
Java Applets
Java Applets are small programs embedded in HTML pages, which can be run automatically upon opening the HTML page in question. The virus writers can take advantage of this situation to carry out attacks on other systems. In many cases, it is possible to avoid this type of attacks by configuring the browser's security settings to "high".
Like Active-X controls, Java Applets make it possible to include new functionalities in web pages (animations, certain calculations, etc.). The difference lies in the technology used and in the companies that implemented it. Sun Microsystems is the company that implemented Java Applets, where as Microsoft introduced Active-X controls.
Joke Programs
Jokes are programs designed to trick users into believing that they have been infected by a virus. These programs usually simulate the destructive effects of viruses - for instance the deletion of the files in the hard disk -. Users are strongly recommended not to open any files attached to e-mail messages.
Kernel
This is the central module of the operating system
Key
The Windows Registry uses keys to store computer configuration settings. When a user installs a new program or the configuration settings are otherwise altered, the values of these keys change. If viruses modify these keys, they can produce damaging effects.
Library File
Library files contain groups of often-used computer code that different programs can share. Programmers who use library code make their programs smaller since they do not need to include the code in their program. A virus that infects a library file automatically may appear to infect any program using the library file.
In Windows systems, the most common library file is the Dynamic Link Library; its extension is DLL.
Logic Bomb
A logic bomb is a type of trojan horse that executes when specific conditions occur. Triggers for logic bombs can include a change in a file, by a particular series of keystrokes, or at a specific time or date. See: Time Bomb
Macro
A macro is a series of instructions designed to simplify repetitive tasks within a program such as Microsoft Word, Excel or Access. Macros execute when a user opens the associated file. Microsoft's latest macro programming language is simple to use, powerful, and not limited to Word documents. Macros are in mini-programs and can be infected by viruses. See Also: Macro Virus
Macro Virus
A macro virus is a malicious macro. Macro viruses are written a macro programming language and attach to a document file (such as Word or Excel). When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus.
Macro viruses can be identified by its name: W97M..., W00M... (macro viruses affecting Microsoft Word 97 and 2000 respectively); X97M..., X00M (macro viruses affecting Microsoft Excel 97 and 2000 respectively); O97M...(macro viruses affecting Microsoft Word 97 and Microsoft Excel 97);...etc.
Mail Bomb
n. Excessively large e-mail (typically many thousands of messages) or one large message sent to a user's e-mail account, for the purpose of crashing the system, or preventing genuine messages from being received.
v. To send a mailbomb.
Malicious Code
A piece of code designed to damage a system or the data it contains, or to prevent the system from being used in its normal manner.
Malware
A generic term used to describe malicious software such as: viruses, trojan horses, malicious active content, etc.
Master Boot Record
The 340-byte program located in the master boot sector. This program reads the partition table, determines what partition to boot and transfers control to the program stored in the first sector of that partition. There is only one master boot record on each physical hard disk. Also: MBR, Partition Table; See Also: Boot Record
Master Boot Sector
The first sector of a hard disk. This sector is located at sector 1, head 0, track 0. The sector contains the master boot record. See Also: Master Boot Record
Master Boot Sector Virus
Master boot sector viruses infect the master boot sector of hard disks, though they spread through the boot record of floppy disks. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy disk DOS accesses. Also: Master Boot Record Virus; See Also: Boot Record
MBR
See: Master Boot Record
Mapped Drives
Network drives assigned local drive letters and locally accessible. For example, the directory path \\MAIN\JohnDoe\ might be mapped as drive G: on a computer.
Means of Infection
This is one of the most important characteristics of viruses. The means of infection let you know about the steps that a virus follows in oder to carry out its infections. It informs you about the changes that the virus made to the Windows Registry,....etc.
Means of Propagation
This is one of the most important characteristics of a virus. It not only lets you know about the methods that the virus uses to spread to other computers (floppy disks, CD-ROMs, computer networks, e-mail messages, FTP, Internet,...) but it also informs you on the actions that the virus carries out to ensure its propagation.
Memory Resident Virus
A memory-resident virus stays in memory after it executes and infects other files when certain conditions are met. In contrast, non-memory-resident viruses are active only while an infected application runs.
MP3(Moving Picture Experts Group Audio Layer 3 File)
MP3 files are highly compressed audio tracks, and are very popular on the Internet. MP3 files are not programs, and viruses cannot infect them. This file type has the extension MP3.
Multipartite Virus
Multipartite viruses use a combination of techniques including infecting documents, executables and boot sectors to infect computers. Most multipartite viruses first become resident in memory and then infect the boot sector of the hard drive. Once in memory, multipartite viruses may infect the entire system.
Removing multipartite viruses requires cleaning both the boot sectors and any infected files. Before you attempt the repair, you must have a clean, write-protected Rescue Disk.
Mutant
See: Variant
Mutating Virus
A mutating virus changes, or mutates, as it progresses through its host files making disinfection more difficult. The term usually refers to viruses that intentionally mutate, though some experts also include non-intentionally mutating viruses. See Also: Polymorphic Virus
Newsgroup
An electronic forum where readers post articles and follow-up messages on a specified topic. An Internet newsgroup allows people from around the globe discuss common interests. Each newsgroup name indicates the newsgroup's subject in terms of increasingly narrow categories, such as alt.comp.virus.
Not In The Wild
Viruses "not in the wild" are in real world but fail to spread successfully. See Also: In The Wild, Zoo Virus
NTFS:
NT File System; a Windows NT file system used to organize and keep track of files. See Also: FAT
Nuke
Although there is a specific family of viruses that refers to this term, a nuke attack is in fact a way to crash computers over a TCP/IP (Internet Protocol) connection.
On-access Scanner
A real-time virus scanner that scans disks and files automatically and often in the background. An on-access scanner scans files for viruses as the computer accesses the files.
On-demand Scanner
A virus scanner the user starts manually. Most on-demand scanners allow the user to set various configurations and to scan specific files, folders or disks.
Operating System (O.S.)
There are two well-known terms used in computing called hardware and software. Hardware is composed of the physical elements of a computer, such as disk drives, cards, processors, etc. Software, on the other hand, is the set of programs that enable you to work on the computer. The operating system falls into the latter category, as it is the software that enables you to interact with the computer and which controls the functioning of the machine as far as storage, communications and task management are concerned. The O.S. is the most important program running on a computer, as without one it would be impossible to use. Examples of well-known operating systems are MS/DOS, UNIX, OS/2, Windows 95/98/2000/NT, etc.
Overwriting Virus
. overwrite viruses are characterized by not respecting the data contained in the files they infect, which means they are rendered useless after infection. Some overwrite viruses are memory resident while others are not. Disinfection is possible, although files cannot be recovered, which means that it is necessary to delete the original file and replace it with a new copy.
Parasitic
A virus that requires a host to help it spread.
Password Attack
A password attack is an attempt to obtain or decrypt a legitimate user's password. Hackers can use password dictionaries, cracking programs, and password sniffers in password attacks. Defense against password attacks is rather limited but usually consists of a password policy including a minimum length, unrecognizable words, and frequent changes. See also: Password Sniffer
Password Sniffer
The use of a sniffer to capture passwords as they cross a network. The network could be a local area network, or the Internet itself. The sniffer can be hardware or software. Most sniffers are passive and only log passwords.The attacker must then analyze the logs later. See also: Sniffer
Payload
Refers to the effects produced by a virus attack. Sometimes refers to a virus associated with a dropper or Trojan horse.
PE (Portable Executable)
This term refers to the standard Win32 executable file format
PGP (Pretty Good Privacy)
Considered the strongest program for encrypting data files and/or e-mail messages on PCs and Macintosh computers. PGP includes authentication to verify the sender of a message and non-repudiation to prevent someone denying they sent a message.
Piggyback
To gain unauthorized access to a system via an authorized user's legitimate connection.
Polymorphic Virus
Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection from anti-virus software. Some polymorphic virus use different encryption schemes and requires different decryption routines. Thus, the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation-engine and random-number generators to change the virus code and its decryption routine. See also: Mutating Virus
POP (Post Office Protocol)
This is a protocol that makes it possible to receive e-mail messages.
Program Infector
A program infector virus infects other program files once an infected application is executed and the activated virus is loaded into memory.
Real-time Scanner
An anti-virus software application that operates as a background task, allowing the computer to continue working at normal speed, with no perceptible slowing. See also: On-Access Scanner
RDSI
This is one of the types of networks currently used to transfer any type of information over the Internet (data, voice, images,...). Unlike other network connections, RDSI offers high-quality faster Internet connections.
Redirect
This action is used to redirect a command to a different address. Viruses may use this function to redirect the system to where it is located rather than to the address of a file or application it was originally instructed to open.
Registry Keys
The Registry is an element where the configuration of a computer is stored in the form of values or keys. These keys will change value and/or will be created when new programs are installed on the computer. Viruses can modify these keys in order to carry out destructive actions.
Rename
The action by which a user or program assigns a new name to a file. Viruses may rename program files and take the name of the file so running the program inadvertently runs the virus.
Anti-virus programs may rename infected files so the are unusable until they are manually cleaned or deleted.
Replication
This is the term used to describe the action by which a virus makes copies of itself in order to carry out subsequent infections.Replication is one of major criteria separating viruses from other computer programs.
Reset
To restart a computer without turning it off. Also: Warm Boot
Resident Virus
A resident virus loads into memory and remains inactive until a trigger event. When the event occurs the virus activates, either infecting a file or disk, or causing other consequences. All boot viruses are resident viruses and so are the most common file viruses.
Resident Extension
A resident extension is a memory-resident portion of a program that remains active after the program ends. It essentially becomes an extension to the operating system. Many viruses install themselves as resident extensions.
Rogue Program
A term the media use to denote any program intended to damage programs or data, or to breach a system's security. It includes Trojan Horse programs, logic bombs,viruses, and more.
RTF (Rich Text Format)
An alternative format to the DOC file type supported by Microsoft Word. RTF files are ASCII text files and include embedded formatting commands. RTF files do not contain macros and cannot be infected with a macro virus.
This makes RTF files a good document format for communicating with others via e-mail. However, some macro viruses attempt to intercept saving a file as an RTF file and instead save it as a DOC file with an RTF extension. Users can catch this trick by first reading the file in a simple text editor like Notepad. DOC files will be nearly unreadable, while RTF files will be readable. This file type has the extension RTF. See Also DOC File
Scanner
virus detection program that searches for viruses. See also: Anti-virus Software, On-demand Scanner,On-Access Scanner
SCR Files
These are what are known as Script files. They take SCR extensions and are used to determine the parameters (conditions) under which certain programs should be run. They therefore make it possible to open a program in accordance with previously established conditions.
Script Virus
Scripts viruses are written in VBScript (Visual Basic) and JavaScript programming languages and use Windows Scripting Host to go into action and infect other files. These viruses will run automatically upon running VBS and JS infected files. These viruses usually include the following letters in their names: VBS or JS. For instance: VBS/LoveLetter.D.
Sector Viruses
See: Boot Sector Infector, Master Boot Sector Virus
Self-Encrypting Virus
Self-encrypting viruses attempt to conceal themselves from anti-virus programs. Most anti-virus programs attempt to find viruses by looking for certain patterns of code (known as virus signatures) that are unique to each virus. Self-encrypting viruses encrypt these text strings differently with each infection to avoid detection. See Self-garbling Virus, Encrypted Virus
Self-extracting Files
A self-extracting file decompresses part of itself into one or more parts when executed. Software authors and others often use this file type to transmit files and software via the Internet since the compressed files conserve disk space and reduce download time. Some anti-virus products may not search self-extracting file components. To scan these components, you must first extract the files and then scan them.
Self-garbling Viruses
A self-garbling virus attempts to hide from anti-virus software by garbling its own code. When these viruses spread, they change the way their code is encoded so anti-virus software cannot find them. A small portion of the virus code decodes the garbled code when activated. See also: Self-encrypting Virus, Polymorphic Virus
Shared Drive
A disk drive available to other computers on the network. Shared drives use the Universal Naming Convention to differentiate themselves from other drives. See also: Mapped Drives, UNC
Shareware
Software distributed for evaluation without cost, but that requires payment to the author for full rights. If, after trying the software, you do not intend to use it, you simply delete it. Using unregistered shareware beyond the evaluation period is pirating.
Signature
The virus signature is a alphanumeric string (a set of letters and/or numbers) associated with a specific virus. Therefore this is the string that identifies the virus, as if it was an identity card. Anti-virus scanners use signatures to locate specific viruses. Also: Virus Signatures
Slow Infector
Slow infectors are active in memory and only infect new or modified files. See Also: Fast Infector
SMTP (Simple Mail Transfer Protocol)
This protocol is used to send e-mail messages. Additionally, it can also be used to connect incompatible servers. Other protocols such as POP are used to receive e-mail messages.
Sniffer
A software program that monitors network traffic. Hackers use sniffers to capture data transmitted via a network.
Sparse Infector
A sparse infector viruses use conditions before infecting files. Examples include files infected only on the 10th execution or files that have a maximum size of 128kb. These viruses use the conditions to infect less often and therefore avoid detection. Also: Sparse Virus
Spawning
A viral program that does not actually attach itself to another program, but which uses a similar name and the rules of program precedence to associate itself with the regular program. This kind of virus is also referred to as a Companion Virus.
Stealth Virus
Stealth viruses attempt to conceal their presence from anti-virus software. Many stealth viruses intercept disk-access requests, so when an anti-virus application tries to read files or boot sectors to find the virus, the virus feeds the program a "clean" image of the requested item. Other viruses hide the actual size of an infected file and display the size of the file before infection.
Stealth viruses must be running to exhibit their stealth qualities. Also: Interrupt Interceptors
String
A consecutive series of letters, numbers, and other characters. "afsH(*&@~" is a string; so is "The Mad Hatter". Anti-virus applications often use specific strings, called virus signatures, to detect viruses. See Also: Signature
System Boot Record
See: Boot Record
Template
Certain applications use template files to pre-load default configurations settings. Microsoft Word uses a template called NORMAL.DOT to store information about page setup, margins and other document information.
Threat Level
This is a method used to find out how dangerous a virus can get to be. This value is assigned to viruses bearing in mind a number of factors such as the following: the actions the virus carries out, how fast it spreads to other computers, the number of infections reported worldwide.
Time Bomb
Usually malicious action triggered at a specific date or time. See Also: Logic Bomb
Timestamp
The time of creation or last modification recorded on a file or another object. Users can usually find the timestamp in the Properties section of a file.
TOM (Top Of Memory)
A design limit at the 640kb-mark on most PCs. Often the boot record does not completely reach top of memory, thus leaving empty space. Boot sector infectors often try to conceal themselves by hiding around the top of memory. Checking the top of memory value for changes can help detect a virus, though there is also non-viral reasons this value change.
Track
The concentric rings on a floppy or hard disk where data is written. Tracks are recorded onto a floppy disk during formatting. Disk storage is organized into tracks and sectors, which are pie-shaped slices. A combination of two or more sectors on a single track makes a cluster or block, the smallest unit used to store information.
Triggered Event
An action built into a virus set off by a specific condition. Examples include a message displayed on a specific date or reformatting a hard drive after the 10th execution of a program.
Trojan Horse Program (Trojan)
Trojans are not viruses as such, as they do not replicate to make copies of themselves. They are in fact programs that are installed on remote computers and produce no damage (at least not at first), although they may be accompanied by other damaging programs. Trojans are designed to open a back door on the victim machine, which makes it vulnerable to attack from a malicious user.
Among the actions that these programs can carry out the following can be highlighted: capturing screenshots, accessing confidential user information (passwords) which can be sent to remote computers at a later stage, opening security holes in order to make the computer vulnerable to attacks.
Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses. Also: Trojan
TSR (Terminate and Stay Resident)
Terminate and Stay Resident. TSR programs stay in memory after being executed. TSR programs allow the user to quickly switch back and forth between programs in a non-multitasking environment, such as MS-DOS. Some viruses are TSR programs that stay in memory to infect other files and program. Also: Memory-resident Program
Tunneling
This is a technique specifically designed to prevent the correct use of the permanent (resident) antivirus protection installed on a computer. While the permanent antivirus protector works to detect the presence of viruses in the system, this type of virus works against it.
All file operations performed on the computer are analyzed by the antivirus by intercepting the actions the operating system carries out. However, if the virus intercepts these requests first, the antivirus will not detect the presence of the malicious code. Although it is a complex system, it consists of taking control over the system's interrupts. This way, the system's interrupt routines are avoided and the virus is therefore capable of using its own interrupt system.
Fortunately, antivirus techniques have been developed that permit the detection of viruses that use this technique.
UNC (Universal Naming Convention)
This is the standard for naming network drives. For example, UNC directory path has the following form: \\server\resource-pathname\subfolder\filename
Updates
Good Antivirus programs must always keep updating technology in order to be able to face the latest technology used by viruses. These programs must be ready to detect all new viruses appearing every day. To do this antivirus programs incorporate an archive called Virus Signature File. This archive contains all the signatures needed to detect viruses.
A good antivirus program must incorporate two kinds of updates:
Update (Virus Signature File). This feature updates the Virus Signature file (if this file is updated the antivirus will detect all viruses in current circulation).
Upgrade . This feature updates the antivirus program as a whole, which means that all the new improvements will be incorporated to your antivirus. In addition, you will also get the latest Virus Signature File.
These are the reasons why it is so important to have an updated antivirus capable of detecting and removing the latest viruses from your computer.
URL (Universal Resource Locator)
Each computer has a number that identifies it on the Internet, in much the same way as an ID code or a passport number. In addition, these computers might contain a large number of portals or web pages. Each of these pages and each computer is accessible (over the Internet) through this number or address. For instance, an IP address might be the following: 168.40.25.12
However, remembering these numbers would be quite complicated, particularly if we bear in mind that there are a large number of web pages on the Internet. The URL address solves this problem, as it replaces the numbers with a string of characters that are easy to remember. For instance: www.pandasoftware.com.
Vaccination
. by means of this technique, the antivirus program stores information on files. Whenever it detects a difference between the information it has stored and the current file data, it will warn you of the situation. There are two types of vaccine:
Internal. the information is stored within the file itself, which means that when it is executed it automatically checks for any changes
External . information is stored in a specially created file, which the program uses to check against the original for possible changes.
Variant
A variant is a modified version of a virus. These modifications can range from simple changes in the text messages displayed by the virus, to changes in the lines of code. An example of this might be the I love you virus (also known as LoveLetter). Some of its variants include the following: LoveLetter.B, LoveLetter.C, LoveLetter.D,...).
VBS (Visual Basic Script)
Visual Basic Script is a programming language that can invoke any system function--including starting, using and shutting down other applications without--user knowledge. VBS programs can be embedded in HTML files and provide active content via the Internet. Since not all content is benign, users should be careful about changing security settings without understanding the implications. This file type has the extension VBS.

Virus
A computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without user knowledge or permission. Some viruses attach to files so when the infected file executes, the virus also executes. Other viruses sit in a computer's memory and infect files as the computer opens, modifies or creates the files.
Some viruses display symptoms, and some viruses damage files and computer systems, but neither symptoms nor damage is essential in the definition of a virus; a non-damaging virus is still a virus.
There are computer viruses written for several operating systems including DOS, Windows, Amiga, Macintosh, Atari, and UNIX, and others. McAfee.com presently detects more than 57,000 viruses, Trojans, and other malicious software. (Note: The preferred plural is the English form: viruses)
See Also: Boot Sector Infector, File Viruses, Macro virus, Companion Virus, Worm,
Virus Hoaxes
Hoaxes are not viruses, but are usually deliberate or unintentional e-messages warning people about a virus or other malicious software program. Some hoaxes cause as much trouble as viruses by causing massive amounts of unnecessary e-mail.
Most hoaxes contain one or more of the following characteristics:
Warnings about alleged new viruses and its damaging consequences,
Demands the reader forward the warning to as many people as possible,
Pseudo-technical "information" describing the virus,
Bogus comments from officials: FBI, software companies, news agencies, etc.
If you receive an e-mail message about a virus, check with a reputable source to ensure the warning is real. To learn about hoaxes and the damage they cause. Sometimes hoaxes start out as viruses and some viruses start as hoaxes, so both viruses and virus hoaxes should be considered a threat.
<
Virus Signature File

@m
Signifies the virus or worm is a "mailer". An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.

@mm
Signifies the virus or worm is a "mass-mailer". An example is Melissa, which sends messages to every email address in your mailbox.

Activation Condition (Trigger)
This indicates the circumstances under which the virus goes into action. These conditions can be the following: when the date or time stamp matches a certain condition, when users carry out certain actions...etc. Therefore, it is the condition that triggers the payload of viruses.

ADSL (Asymmmetric Digital Subscriber Line)
This is a type of Internet connection that uses cable or telephone lines to provide fast data transfer (even faster than RDSI connections).

Algorithm
A sequence of steps needed to solve logical or mathematical problems. Certain cryptographic algorithms are used to encrypt or decrypt data files and messages and to sign documents digitally.

ANSI (American National Standards Institute)
This is an organization that administers and coordinates the U.S. standardization and conformity assessment system. The most well-known standards created by this organization include the ASCII code (American Standard Code for Information Interchange) and the SCSI interface.

Anti-antivirus Virus
Anti-antivirus viruses attack, disable or infect specific anti-virus software. See also: Retrovirus

Anti-virus Software
Anti-virus software scans a computer's memory and disk drives for viruses. If it finds a virus, the application informs the user and may clean, delete or quarantine any files, directories or disks affected by the malicious code. See also: Anti-virus scanner

Antivirus Virus
Antivirus viruses specifically look for and remove other viruses.

API (Application Programming Interface)
An API is a method or property of some operating systems (Windows API, for instance) by which a programer can make requests of the operating system or another application.

Applet
Any miniature application transported over the Internet, especially as an enhancement to a Web page. Authors often embed applets within the HTML page as a foreign program type. Java applets are usually only allowed to access certain areas of the user's system. Computer programmers often refer to this area as the sandbox.

Armored Virus
An armored virus tries to prevent analysts from examining its code. The virus may use various methods to make tracing, disassembling and reverse engineering its code more difficult.

Attack
An attempt to subvert or bypass a system's security. Attacks may be passive or active. Active attacks attempt to alter or destroy data. Passive attacks try to intercept or read data without changing it. See Also: Brute Force Attack, Denial of Service, Hijacking, Password Attacks, Password Sniffing

Attributes
Characteristics assigned to all files and directories. Attributes include: Read Only, Archive, Hidden or System.

Back Door
A feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk. See also: Trapdoor.

Background Scanning
A feature in some anti-virus software to automatically scan files and documents as they are created, opened, closed or executed.

Background Task
A task executed by the system but generally remain invisible to the user. The system usually assigns background tasks a lower priority than foreground tasks. Some malicious software is executed by a system as a background task so the user does not realize unwanted actions are occurring.

Backup
n. A duplicate copy of data made for archiving purposes or for protecting against damage or loss. v. The process of creating duplicate data. Some programs backup data files while maintaining both the current version and the preceding version on disk. However, a backup is not considered secure unless it is stored away from the original.

Bimodal Virus
A bimodal virus infects both boot records and files. Also: Bipartite; See Also: Boot Sector Infector, File Virus, Multipartite

BIOS (Basic Input/Output System)
The part of the operating system that identifies the set of programs used to boot the computer before locating the system disk. The BIOS is located in the ROM (Read Only Memory) area of system and is usually stored permanently.

Boot
To start (a cold boot) or reset (warm boot) the computer so it is ready to run programs for the user. Booting the computer executes various programs to check and prepare the computer for use. See Also: Cold Boot, Warm Boot

Boot Record
The program recorded in the boot sector. This record contains information on the characteristics and contents of the disk and information needed to boot the computer. If a user boots a PC with a floppy disk, the system reads the boot record from that disk. See Also: Boot Sector

Boot Sector
An area located on the first track of floppy disks and logical disks that contain the boot record. Boot sector usually refers to this specific sector of a floppy disk, whereas the term Master Boot Sector usually refers to the same section of a hard disk. See Also: Master Boot Record

Bug
A bug is a coding error in a program. Viruses are programs and consequently can have bugs. This means that the actions that the virus was initially coded to carry out might not take place if a bug is found in the viral code.

Byte
A byte is the unit that makes it possible to measure data and storage capabilities. To be more precise, a byte is a unit of data that is eight binary digits long. Consequently, a Byte - B contains 8 bits, a Kilobyte contains 1024 Bytes, a Megabyte - MB contains 1024 Kilobytes and a Gigabyte - GB contains 1024 Megabytes.

Brute Force Attack
An attack in which each possible key or password is attempted until the correct one is found. See also: Attack

Cache
This is a small section that corresponds to the computer memory. It is usually a place to store something temporarily. Its function it to increase the processing speed of the computer. To do this, a copy of the most recently accessed data is stored for fast access.

Category / Type
All viruses are not the same. In fact they can be divided into different categories or types according to the way they spread, infect or according to the actions they carry out. There are several virus categories: Boot, Macro, Polymorphic, Worms, Trojans, Resident,..., etc. Some viruses may belong to just one of these types, whereas others might be part of several virus categories.

Cavity Virus
A cavity virus overwrites a part of its host file without increasing the length of the file while also preserving the host's functionality.

Checksum
An identifying number calculated from file characteristics. The slightest change in a file changes its checksum.