Enterprising I.T. Solutions




Virus Terminology




Virus infestations are increasing at an alarming rate.  Chances are that one or more of your computers either has a virus now, or has had one in the last two years.  If you are connected to the Internet, receive email, or have floppy drives and removable media devices you are at risk for virus infestations.  If your virus software is not up-to-date, not setup properly, or does not run complete system scans weekly you probably either have already suffered a virus attack and may not yet have detected it, or you will suffer one within the next 12-18 months.  

Its not a question of IF, but more a question of When?, Where?, How much damage will it cause?, and How much will it cost my organization to Contain, Eliminate, and Recover from the Virus.  Some organizations without proper data protection / backup solutions may never fully recover.


How Viruses Work 

A computer virus is a piece of self-replicating code usually attached to another piece of code. This code can be harmless—for example, it might display a message or play a tune. Or it might be harmful and proceed to delete and modify files. 

The virus code searches users' files for an uninfected executable program for which the user has security write privileges. The virus infects the file by putting a piece of code in the selected program file. When a program that is infected with a virus is executed, the virus immediately takes command, finding and infecting other programs and files. 

Some viruses are "memory resident" viruses. When a user executes an executable file that is infected with this type of virus, the virus loads itself into memory and remains there even if the original program is shut down. Subsequent programs that are executed are infected with the virus until the computer is shut down or turned off. Some viruses have a "dormant" phase and will appear only at certain times or when certain actions are performed. 



Virus Terms & Definitions

A-C D-F G-I J-L M-O P-R S-U V-X Y-Z Tips


ActiveX controls are software modules based on Microsoft's Component Object Model (COM) architecture. They add functionality to software applications by seamlessly incorporating pre-made modules with the basic software package. Modules can be interchanged but still appear as parts of the original software.

On the Internet, ActiveX controls can be linked to Web pages and downloaded by an ActiveX-compliant browser. ActiveX controls turn Web pages into software pages that perform like any other program launched from a server. 

ActiveX controls can have full system access. In most instances this access is legitimate, but one should be cautious of malicious ActiveX applications.

Anti-virus Software

Anti-virus software scans a computer's memory and disk drives for viruses. If it finds a virus, the application informs the user and may clean, delete or quarantine any files, directories or disks affected by the malicious code. Also: Anti-virus Scanner

Antivirus Virus

Antivirus viruses specifically look for and remove other viruses.

Anti-antivirus Virus
Anti-antivirus viruses attack, disable or infect specific anti-virus software. Also: Retrovirus
Any miniature application transported over the Internet, especially as an enhancement to a Web page. Authors often embed applets within the HTML page as a foreign program type. 

Java applets are usually only allowed to access certain areas of the user's system. Computer programmers often refer to this area as the sandbox.
Armored Virus
An armored virus tries to prevent analysts from examining its code. The virus may use various methods to make tracing, disassembling and reverse engineering its code more difficult.
Back Door
A feature programmers often build into programs to allow special privileges normally denied to users of the program. Often programmers build back doors so they can fix bugs. If hackers or others learn about a back door, the feature may pose a security risk. Also: Trapdoor.
Background Scanning
A feature in some anti-virus software to automatically scan files and documents as they are created, opened, closed or executed.
Bimodal virus
A bimodal virus infects both boot records and files. Also: Bipartite; See Also: Boot Sector Infector, File Virus, Multipartite
Basic Input/Output System. The part of the operating system that identifies the set of programs used to boot the computer before locating the system disk. 

The BIOS is located in the ROM (Read Only Memory) area of system and is usually stored permanently.
To start (a cold boot) or reset (warm boot) the computer so it is ready to run programs for the user. Booting the computer executes various programs to check and prepare the computer for use. See Also: Cold Boot, Warm Boot
Boot Record
The program recorded in the boot sector. This record contains information on the characteristics and contents of the disk and information needed to boot the computer. If a user boots a PC with a floppy disk, the system reads the boot record from that disk. See Also: Boot Sector
Boot Sector
An area located on the first track of floppy disks and logical disks that contain the boot record. Boot sector usually refers to this specific sector of a floppy disk, whereas the term Master Boot Sector usually refers to the same section of a hard disk. See Also: Master Boot Record
Boot Sector Infector
A boot sector infector virus places its starting code in the boot sector. When the computer tries to read and execute the program in the boot sector, the virus goes into memory where it can gain control over basic computer operations. From memory, a boot sector infector can spread to other drives (floppy, network, etc.) on the system. Once the virus is running, it usually executes the normal boot program, which it stores elsewhere on the disk. Also: Boot Virus, Boot Sector Virus, BSI.
An unintentional fault in a program that causes actions neither the user nor the program author intended.
Cluster Virus
Cluster viruses modify the directory table entries so the virus starts before any other program. The virus code only exists in one location, but running any program runs the virus as well. Because they modify the directory, cluster viruses may appear to infect every program on a disk. Also: File System Virus
Cold Boot
To start the computer by cycling the power. A cold boot using a rescue disk (a clean floppy disk with boot instructions and virus scanning capabilities) is often necessary to clean or remove boot sector infectors. See Also: Boot, Warm Boot
Companion Virus
Companion viruses use a feature of DOS that allows software programs with the same name, but with different extensions, to operate with different priorities. Most companion viruses create a COM file which has a higher priority than an EXE file with the same name. 

Thus, a virus may see a system contains the file PROGRAM.EXE and create a file called PROGRAM.COM. When the computer executes PROGRAM from the command line, the virus (PROGRAM.COM) runs before the actual PROGRAM.EXE. Often the virus will execute the original program afterwards so the system appears normal.
Direct Action Virus
A direct action virus works immediately to load itself into memory, infect other files, and then to unload itself.
Encrypted Virus
An encrypted virus's code begins with a decryption algorithm and continues with scrambled or encrypted code for the remainder of the virus. Each time it infects, it automatically encodes itself differently, so its code is never the same. Through this method, the virus tries to avoid detection by anti-virus software
File Allocation Table. The under MS-DOS, Windows 3.x, 9x, and NT (in some cases), the FAT is located in the boot sector of the disk and stores the addresses of all the files contained on a disk. Viruses and other malicious programs, as well and normal use and extended wear and tear, can damage the FAT. If the FAT is damaged or corrupt, the operating system may be unable to locate files on the disk.
File viruses
File viruses usually replace or attach themselves to COM and EXE files. They can also infect files with the extensions SYS, DRV, BIN, OVL and OVY. 
File viruses may be resident or non-resident, the most common being resident or TSR (terminate-and-stay-resident) viruses. Many non-resident viruses simply infect one or more files whenever an infected file runs. 
Also: Parasitic Virus, Fire Infector, File Infecting Virus




In The Wild, Wild
A virus is "in the wild" if it is verified as having caused an infection outside a laboratory situation. Most viruses are in the wild and differ only in prevalence. Also: ITW; See Also: Zoo Virus
JavaScript is a scripting language that can run wherever there is a suitable script interpreter such as Web browsers, Web servers, or the Windows Scripting Host. The scripting environment used to run JavaScript greatly affects the security of the host machine: 
    A Web page with JavaScript runs within a Web browser in much the same way as Java applets and does not have access to host machine resources.
    An Active Server Page (ASP) or a Windows Scripting Host (WSH) script containing JavaScript is potentially hazardous since these environments allow scripts unrestricted access to machine resources (file system, registry, etc.) and application objects.
Macro Virus
A macro virus is a malicious macro. Macro viruses are written a macro programming language and attach to a document file (such as Word or Excel). When a document or template containing the macro virus is opened in the target application, the virus runs, does its damage and copies itself into other documents. Continual use of the program results in the spread of the virus.
Memory-resident Virus
A memory-resident virus stays in memory after it executes and infects other files when certain conditions are met. In contrast, non-memory-resident viruses are active only while an infected application runs.
Multipartite Virus
Multipartite viruses use a combination of techniques including infecting documents, executables and boot sectors to infect computers. Most multipartite viruses first become resident in memory and then infect the boot sector of the hard drive. Once in memory, multipartite viruses may infect the entire system. 

Removing multipartite viruses requires cleaning both the boot sectors and any infected files. Before you attempt the repair, you must have a clean, write-protected Rescue Disk.

NT File System; a Windows NT file system used to organize and keep track of files. See Also: FAT
Operating System - OS
The operating system is usually the underlying software that enables you to interact with the computer. The operating system controls the computer storage, communications and task management functions. Examples of common operating stems include: MS-DOS, MacOS, Linux, Windows 98. Also: OS, DOS
Polymorphic viruses
Polymorphic viruses create varied (though fully functional) copies of themselves as a way to avoid detection from anti-virus software. Some polymorphic virus use different encryption schemes and requires different decryption routines. Thus, the same virus may look completely different on different systems or even within different files. Other polymorphic viruses vary instruction sequences and use false commands in the attempt to thwart anti-virus software. One of the most advanced polymorphic viruses uses a mutation-engine and random-number generators to change the virus code and its decryption routine. See Also: Mutating Virus
Resident Virus
A resident virus loads into memory and remains inactive until a trigger event. When the event occurs the virus activates, either infecting a file or disk, or causing other consequences. All boot viruses are resident viruses and so are the most common file viruses.
A computer virus that actively attacks an anti-virus program or programs in an effort to prevent detection
Stealth Virus
Stealth viruses attempt to conceal their presence from anti-virus software. Many stealth viruses intercept disk-access requests, so when an anti-virus application tries to read files or boot sectors to find the virus, the virus feeds the program a "clean" image of the requested item. Other viruses hide the actual size of an infected file and display the size of the file before infection. 
Stealth viruses must be running to exhibit their stealth qualities. Also: Interrupt Interceptors
Trojan Horse Program
A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Trojans are not viruses since they do not replicate, but Trojan horse programs can be just as destructive. 
Many people use the term to refer only to non-replicating malicious programs, thus making a distinction between Trojans and viruses. Also: Trojan
Terminate and Stay Resident. TSR programs stay in memory after being executed. TSR programs allow the user to quickly switch back and forth between programs in a non-multitasking environment, such as MS-DOS. Some viruses are TSR programs that stay in memory to infect other files and program. Also: Memory-resident Program
A modified version of a virus. Usually produced on purpose by the virus author or another person amending the virus code. If changes to the original are small, most anti-virus products will also detect variants. However, if the changes are large, the variant may go undetected by anti-virus software.
Visual Basic Script. Visual Basic Script is a programming language that can invoke any system function--including starting, using and shutting down other applications without--user knowledge. VBS programs can be embedded in HTML files and provide active content via the Internet. Since not all content is benign, users should be careful about changing security settings without understanding the implications. This file type has the extension VBS.
A computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without user knowledge or permission. Some viruses attach to files so when the infected file executes, the virus also executes. Other viruses sit in a computer's memory and infect files as the computer opens, modifies or creates the files. 
Some viruses display symptoms, and some viruses damage files and computer systems, but neither symptoms nor damage is essential in the definition of a virus; a non-damaging virus is still a virus.

There are computer viruses written for several operating systems including DOS, Windows, Amiga, Macintosh, Atari, and UNIX, and others. McAfee.com presently detects more than 57,000 viruses, Trojans, and other malicious software. (Note: The preferred plural is the English form: viruses) 

See Also: Boot Sector Infector, File Viruses, Macro virus, Companion Virus, Worm,

Worms are parasitic computer programs that replicate, but unlike viruses, do not infect other computer program files. Worms can create copies on the same computer, or can send the copies to other computers via a network. Worms often spread via IRC (Internet Relay Chat).
A collection of viruses used for testing by researchers. See Also: In The Wild, Zoo Virus
Zoo Virus
A zoo virus exists in the collections of researchers and has never infected a real world computer system. See Also: In The Wild


Virus Detection and Prevention Tips 

  1. Do not open any files attached to an email from an unknown, suspicious or untrustworthy source. 

  2. Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe than sorry and confirm that they really sent it. 

  3. Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is there always save the file to your hard drive before doing so.

  4. Delete chain emails and junk email. Do not forward or reply to any to them. These types of email are considered spam, which is unsolicited, intrusive mail that clogs up the network.

  5. Do not download any files from strangers.

  6. Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download the file at all or download the file to a floppy and test it with your own anti-virus software.

  7. Update your anti-virus software regularly. Over 500 viruses are discovered each month, so you'll want to be protected. These updates should be at the least the products virus signature files. You may also need to update the product's scanning engine as well.

  8. Back up your files on a regular basis. If a virus destroys your files, at least you can replace them with your back-up copy. You should store your backup copy in a separate location from your work files, one that is preferably not on your computer.

  9. When in doubt, always err on the side of caution and do not open, download, or execute any files or email attachments. Not executing is the more important of these caveats. Check with your product vendors for updates which include those for your operating system web browser, and email. One example is the security site section of Microsoft located at http://www.microsoft.com/security.

  10. If you are in doubt about any potential virus-related situation you find yourself in, you may report a virus to our virus team.