Virus Glossary

Glossary of Virus Terms

ActiveX malicious code

Aliases
Backdoor
Boot sector viruses
Computers infected...
Date of origin
Description
Destructive viruses
ELF
Encrypted viruses
File infecting viruses
In-the-Wild virus list
Java malicious code
Joke programs
Language
Malware
Macro virus
NE
Password
Payload
PE
Place of origin
Platform
Proof of concept
Rate of infection
Risk rating
Size
Script viruses
Solution
Time period
Trigger condition/date
Trojan

ActiveX malicious code

ActiveX controls allow Web developers to create interactive, dynamic Web pages with broader
functionality. An ActiveX control is a component object embedded in a Web page which runs
automatically when the page is viewed. In many cases, the Web browser can be configured so
that these ActiveX controls do not execute by changing the browser's security settings to "high."
However, hackers, virus writers, and others who wish to cause mischief or worse may use
ActiveX malicious code as a vehicle to attack the system. To remove malicious ActiveX controls,
you just need to delete them.

Aliases
There is no commonly accepted industry standard for naming viruses and malicious mobile code.
Each may be known by several different names or aliases.

Backdoor
A Backdoor is a program that opens secret access to systems, and is often used to bypass
system security. A Backdoor program does not infect other host files, but nearly all Backdoor
programs make registry modifications. For detailed removal instructions please view the virus
description.

Boot sector viruses

Boot sector viruses infect the boot sector or partition table of a disk. Computer systems are most
likely to be attacked by boot sector viruses when you boot the system with an infected disk from
the floppy drive - the boot attempt does not have to be successful for the virus to infect the hard
drive. Also, there are a few viruses that can infect the boot sector from executable programs-
these are known as multi-partite viruses and they are relatively rare. Once the system is infected,
the boot sector virus will attempt to infect every disk that is accessed by that computer. In
general, boot sector viruses can be successfully removed.

Computers infected since (date)

This table displays the number of infected computers, by region, since detection first became
available for this virus. See World Virus Tracking Center for additional information.

Date of origin
Indicates when a virus was first discovered (if known).

Destructive viruses
In addition to self-replication, computer viruses may have a routine that can deliver the virus
payload. A virus is defined as destructive if its payload does some damage to your system, such
as corrupting or deleting files, formatting your hard drive, and committing denial-of-service attacks
etc.

ELF
ELF refers to Executable and Link Format, which is the well-documented and available file format
for Linux/UNIX executables

Encrypted viruses
Indicates that the virus code contains a special routine that encrypts the virus body to evade
detection by antivirus software.

File infecting viruses

File infecting viruses infect executable programs (generally, files that have extensions of .com or
.exe). Most such viruses simply try to replicate and spread by infecting other host programs - but
some inadvertently destroy the program they infect by overwriting some of the original code.
There is a minority of these viruses that are very destructive and attempt to format the hard drive
at a pre-determined time or perform some other malicious action. In many cases, a file-infecting
virus can be successfully removed from the infected file. If the virus has overwritten part of the
program's code, the original file will be unrecoverable.

In-the-Wild virus list

The In-the-Wild virus list is a list of the most common viruses that have been found infecting
users' computers worldwide. The list is compiled by the renowned antivirus researcher Joe Wells.
Wells updates the list regularly, working closely with antivirus research teams around the world.
When ICSA (International Computer Security Association) conducts virus testing of antivirus
products, the In-the-Wild virus list serves as the basis for its comparative analysis. More info:
http://www.wildlist.org

Java malicious code

Java applets allow Web developers to create interactive, dynamic Web pages with broader
functionality. Java applets are small, portable Java programs embedded in HTML pages. They
can run automatically when the pages are viewed. However, hackers, virus writers, and others
who wish to cause mischief may use Java malicious code as a vehicle to attack the system. In
many cases, the Web browser can be configured so that these applets do not execute by
changing the browser's security settings to "high."

Joke programs
Joke programs are ordinary executable programs. They are added to the detection list because
they are found to be very annoying and/or they contain pornographic images. Joke programs
cannot spread unless someone deliberately distributes them. To get rid of a Joke program, delete
the file from your system.

Language
This refers to the language locale of the virus working platform such as MS Word in English or
Chinese.

Malware
Malware is a general term used to refer to any unexpected or malicious programs or mobile
codes such as viruses, Trojan, worm, or Joke programs.

Macro virus
Macro viruses are viruses that use another application's macro programming language to
distribute themselves. They infect documents such as MS Word or MS Excel. Unlike other
viruses, macro viruses do not infect programs or boot sectors - although a few do drop programs
on the user's hard drive. The dropped files may infect executable programs or boot sectors.
Macro viruses can be removed safely from the infected document using antivirus products.

Special note: Occasionally, you may get an "illegal operation" error when you try to start MS Word
after cleaning a Word macro virus. If this happens, search for the file "normal.dot" and rename it
to "normaldot.bak." MS Word will generate a new, clean "normal.dot" the next time it is started.
This problem occurs because some viruses can leave harmless code residue that MS Word may
be reading incorrectly, causing erratic behavior.

NE
NE refers to New Executable, which is the standard Windows 16-bit executable file format.
Windows 16-bit viruses are detected as "NE_Virusname."

Password
Some viruses set a password when they infect a document. The main objective of the virus here
is to make the document inaccessible. This password can be a word, phrase, or even a randomly
generated number.

Payload
A virus' payload is an action it performs on the infected computer. This can be something
relatively harmless like showing messages or ejecting the CD drive, or something destructive like
deleting the entire hard drive.

PE
PE refers to Portable Executable, which is the standard Win32 executable file format. Windows
32-bit viruses are detected "PE_Virusname."

Place of origin
Indicates where a virus is believed to have originated (if known).
Platform
Indicates the computer operating system or application on which a virus can run and perform an
infection. Generally, a particular operating system is required for executable viruses and a
specific application is needed for macro viruses.

Proof of Concept
A proof of concept virus or Trojan indicates that something is new or that it has never seen
before. For example, VBS_Bubbleboy was a proof of concept worm, as it was the first email
worm to automatically execute without requiring a user to double-click on an attachment. Most
proof of concept viruses are never seen in-the-wild. However, virus writers will often take the idea
(and code) from a proof of concept virus and implement it in future viruses.

Rate of infection
This table displays the relative rate of infection in each region. While the "number of computers
infected" table reflects the larger numbers of Internet users in North America, Asia and Europe,
the "rate of infection" is useful as an estimate of how quickly a virus is spreading in each region.
An infection rate of 5%, for example, means that approximately 5 out of 100 computers are
infected.

Risk rating
The risk rating of a virus is an assessment of the threat posed by a virus. It is based on a number
of different factors including, but not limited to, potential to spread, destructiveness of the
payload, and actual number of cases reported etc.

Size of macro/malicious code/virus

Indicates the size of the virus code in bytes. This number is sometimes used as part of the virus
name to distinguish it from its variants.

Script viruses (VBScript, JavaScript, HTML)

Script viruses are written in script programming languages, such as VBScript and JavaScript.
VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting
Host to activate themselves and infect other files. Since Windows Scripting Host is available on
Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs
or *.js file from Windows Explorer.

HTML viruses use the scripts embedded in HTML files to do their damage. These embedded
scripts automatically execute the moment the HTML page is viewed from a script-enabled
browser.

Solution
Most viruses can be cleaned or removed from the infected host files. Special removal instructions
are provided for viruses or Trojans that modify the system registry and/or drop files. Generally, to
remove Trojans or Joke programs, you just need to delete the program files - no cleaning action
is needed.

To keep your computer healthy by catching viruses before they have a chance to infect your PC
or network, get the best antivirus solution available today.

Time period
This chart displays the number of computers infected within the last 24 hours (1d), last 7 days
(7d), last year (1y), or since detection first became available (All).

Trigger condition or date

This is to indicate the condition or date on which the virus' payload will be triggered. Please note
that date-activated viruses may infect your computer 365 days a year. Your computer may be
infected by these viruses prior to the date specified.

Trojan
A Trojan horse is a program that performs some unexpected or unauthorized, usually malicious,
actions such as displaying messages, erasing files or formatting a disk. A Trojan horse doesn't
infect other host files, thus cleaning is not necessary. To get rid of a Trojan, simply delete the
program.