Glossary of Virus Terms

ActiveX controls are components that add dynamic and interactive features to Web pages. With ActiveX tools, multimedia effects, animation, and functional applications can be added to Web sites. HouseCall, Trend Micro's online virus scanner is an example of the application of ActiveX.

ActiveX controls are typically installed with user permission. However, security measures can be circumvented. In some instances, ActiveX components in Web pages are able to run automatically when the Web pages are opened. Visiting users are also sometimes tricked into accepting unwanted ActiveX controls. The unauthorized installation and execution of ActiveX controls can open opportunities for malicious code to install components or to make modifications on visiting systems.

Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance.

Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software.

Adware are also often installed in tandem with spyware programs. Both programs feed off of each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profiles.

Affected software in the Virus Encyclopedia refers to programs verified to contain a known vulnerability. Containing a specific vulnerability can mean that the program or the computer running it is susceptible to attacks designed to take advantage of the vulnerability. These attacks are commonly refered to as exploits.

The Computer Antivirus Research Organization (CARO) sets the standard for naming malware and other malicious codes. However, antivirus vendors often have their own approaches towards detection, which can result in different naming. Aliases on the Virus Encyclopedia, indicate the other names used to refer to the same malware.

The term backdoor often refers to backdoor programs - applications that open computers for access by remote systems. These programs typically respond to specially-built client programs, but can be designed to respond to legitimate messaging applications. Many backdoor programs actually make use of the IRC backbone, receiving commands from common IRC chat clients via the IRC network.

Backdoor programs (detected by Trend Micro antivirus as BKDR_malwarename) typically cannot propagate on their own.

Boot sector viruses infect the boot sector or the partition table of a disk. Computer systems are typically infected by these viruses when started with infected floppy disks - the boot attempt does not have to be successful for the virus to infect the computer hard drive. Once a computer is infected, boot sector viruses usually attempt to infect every disk accessed on the infected system. In general, boot sector viruses can be successfully removed.

There are a few viruses that can infect the boot sector after executing as a program. They are known as multi-partite viruses and are relatively rare.

Browser Helper Objects (BHOs) are companion applications for Microsoft Internet Explorer.  They usually come in the form of toolbars, search helpers, and monitoring applications. BHOs are commonly employed by adware and spyware programs to monitor user browsing habits and deliver targeted advertising. BHOs have also been used to steal information.

Compression reduces a file's size for processing, storage, and transmission. Malware authors typically use different compression types or algorithms to reduce a malware's size or hide the original digital structure of their malware. Some malware authors actually apply different compression algorithms on existing malware to produce variants and elude antivirus scanners.

This table displays the number of infected computers, by region, since detection first became available for this virus. See World Virus Tracking Center for additional information.

Cookies are text files that are created on computers when visiting Web sites. They contain information on user browsing habits. When a user returns to a Web site, a cookie provides information on the user's preferences and allows the site to display in customized formats and to show targeted content such as advertising. Cookies can collect user information that can then be obtained by another site or program.

The Damage Cleanup Template / Engine is the automated cleanup component of Trend Micro antivirus products. Trend Micro antivirus provides automated cleanup for all critical malware threats via this template and engine package, which is initiated upon malware detection. The Damage Cleanup Template / Engine can also be used as a standalone cleanup package.

A malware's damage potential rating may be high, medium, or low based on its inherent capacity to cause both direct and indirect damage to systems or networks. Certain malware are designed specifically to delete or corrupt files, causing direct damage. Denial of service (DoS) malware may also cause direct and intended damage by flooding specific targets. Mass-mailers and network worms usually cause indirect damage when they clog mail servers and network bandwidth, respectively.

- System becomes unusable (e.g. flash bios, format HDD)
- System data or files are unrecoverable (e.g. encryption of data)
- System cannot be automatically recovered using tools
- Recovery requires restoring from backup
- Causes large amounts of network traffic (packet flooders, mass-mailers)
- Data/files are compromised and sent to a third party (backdoor capabilities)

- System/files can be recovered using Trend Micro products or cleaning tools
- Minor data/file modification (e.g. file infectors)
- Malware that write minimal amount of data to the disk
- Malware that kill applications in memory
- Causes medium amount of network traffic (e.g. slow mailers)
- Automatically executes unknown programs
- Deletes security-related applications (e.g. antivirus, firewall)

- No system changes
- Deletion of less significant files in the system
- Changes can be recovered by users without using any tools
- Damage can be reversed just by restarting the system

Data Miners are applications that monitor, analyze, and collect specific information found in a database or volume of data from various sources. Data miners are not always used with malicious intent. Data mining programs allow companies to compile important client information, in order to enhance their services.

Data miners may be used by Web sites to monitor, analyze, and collect particular user activities on a computer to collect information that typically will be used for marketing purposes. Usually, data miners are uploaded to a computer to search for Web sites visited, products searched, and services used. The data is then sent back to be used for targeted advertising.

Data miners may be used maliciously and have been used to steal personal information like logon credentials and credit card numbers.

Indicates when a virus was first discovered (if known).

Denial of service (DoS) is a malware routine that interrupts or inhibits the normal flow of data into and out of a system. Most DoS attacks consume system resources, such that, in a short period of time, the target is rendered useless. A form of DoS attack is when a Web service (like a Web site or a download location) is accessed massively and repeatedly from different locations, preventing other systems from accessing the service and retrieving data from it. When a DoS attack is launched from different locations in coordinated fashion, it is often referred to as a distributed denial of service attack (DDoS).

This is a brief summary of a virus listed in the Trend Micro Virus Encyclopedia. For detailed technical information, click on the "Tech Details" tab. For virus infection statistics, click on the "Risk Statistics" tab.

A malware tagged destructive causes direct damage to files or computer systems, often resulting in the loss of important data. Routines such as corrupting or deleting important files and formatting the hard drive are considered destructive. A malware that consumes resources in a denial of service attack would also be tagged destructive.

Dialers, as the name implies, dial to predefined numbers to connect to certain sites. Many users run dialers without knowing that some of these programs actually dial long distance numbers or connect to pay-per-call sites; and that they are being charged for the calls. Dialers are often offered as programs for accessing adult sites.

Discovery date indicates the date when a sample for a hoax or joke program is first received by Trend Micro. For vulnerabilities, it is the date when the vulnerability is made public by security researchers or by the vendors of the affected software.

See Denial of service.

Distribution potential is derived from the characteristics of the malicious program. Fast-spreading network worms can spread across continents within just minutes. Some malicious programs also use numerous infection and spreading techniques – often referred to as blended threats or mixed threats. The Nimda virus, for example, was able to spread via email, network shares, infected Web sites, as well as Web traffic (http/port 80).

As new systems are made and improved with added functionality, proof-of-concept malware often follows. This uniqueness, as well as the widespread implementation of a particular operating system or software, also influences the potential distribution of each malware. Many viruses written in the past do not run or spread on newer operating systems or operating systems that have all the latest security patches installed.

- Blended threats (i.e. spreads via email, P2P, IM, network shares)
- Mass mailers
- Spreads via network shares

- Mailers
- has spread via third-party or media
- spreads in IRC, IM, or P2P
- requires user intervention to spread
- URL/Web site download

- no network spreading
- requires manual distribution to spread

Droppers are programs designed to extract other files from their own code. Typically, these programs extract several files into the computer to install a malicious program package. Droppers may have other functions apart from dropping files.

ELF (Executable and Link Format) is an executable file format for the Linux and Unix platforms. Trend Micro antivirus detects malicious executable code for Linux and UNIX as ELF_malwarename.

Encryption is the process of converting data into a form that could not be easily read without knowledge of the conversion mechanism (often called key).

Certain malware have the ability to encrypt their own physical copies such that they are able to evade antivirus scanners trying to match them with physical sigantures of available samples. More complex malware use variable encryption keys for each new copy, requiring more complex formula-based patterns from antivirus vendors.

An End User License Agreement or EULA is a legal contract between a software publisher and the software user. It typically outlines restrictions on the side of the user, who can refuse to enter into the agreement by not clicking "I accept" during installation. Clicking "I do not accept" will, of course, end the installation of the software product.

Many users inadvertently agree to the installation of spyware and adware into their computers when they click "I accept" on EULA prompts displayed during the installation of certain free software.

An exploit is code that takes advantage of a software vulnerability or security hole. Exploits are often incorporated into malware, which are consequently able to propagate into and run intricate routines on vulnerable computers.

File infecting viruses or file infectors generally copy their code onto executable programs such as .COM and .EXE files. Most file infectors simply replicate and spread, but some inadvertently damage host programs. There are also file infectors that overwrite host files. Some file infectors carry payloads that range from the highly destructive, such as hard drive formatting, or the benign, such as the display of messages.

Hacking tools are programs that generally crack or break computer and network security measures.  Hacking tools have different capabilities depending on the systems they have been designed to penetrate. System administrators have been known to use similar tools - if not the same programs - to test security and identify possible avenues for intrusion.

Malware tagged in-the-wild on the Virus Encyclopedia are malware found to have infected real world computers. Infection monitoring is done using the Trend Micro World Virus Tracking Center. The Virus Encyclopedia tag may or may not reflect the list provided by www.wildlist.org.

Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. They are small, portable Java programs embedded in HTML pages and can run automatically when the pages are viewed. Malware authors have used Java applets as a vehicle for attack. Most Web browsers, however, can be configured so that these applets do not execute - sometimes by simply changing browser security settings to "high."

Joke programs are considered relatively harmless and are often designed to annoy or make fun of users. They do not infect files, cause damage, or spread to other systems.

Many joke programs are designed to cause unnecessary panic - especially those that cause computers to behave as if something has been damaged. Abnormal system behaviors caused by joke programs include the closing and opening of the CD-ROM tray and the display of numerous message boxes.

Keyloggers are programs that log keyboard activity. Certain malware employ these programs to gather user information. There are also legitimate keylogging programs that are used by corporations to monitor employees and by parents to monitor their children. Keyloggers usually catch and store all keyboard activity - leaving a person or another application to sort through the keystroke logs for valuable information like logon credentials and credit card numbers.

Kits are malware-generating applications that often provide users the option to create customized malware. Most kits can produce multiple variations of a malware. Many have been used to generate new variants of existing worms. Antivirus scanners should be capable of detecting kits and their spawn.

Language on the Virus Encyclopedia refers to the language of the malware's working platform, such as English or Chinese for Microsoft Windows.

During the late 1990s and early 2000, macro viruses were the most prevalent viruses. Unlike other virus types, macro viruses are not specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.

Popular applications that support macros (such as Microsoft Word and Microsoft Excel) are the most common platforms for this type of virus.  These viruses are written in Visual Basic and are relatively easy to create. Macro viruses infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted.

A malware is a program that performs unexpected or unauthorized, often malicious, actions. It is a general term used to refer to both viruses and Trojans, which respectively include replicating and non-replicating malicious code.

Trend Micro issues advisories to inform users of newly discovered malware threats that are either already prevalent or will likely spread. Advisories may also cover proof-of-concept malware and old malware that have recently become newsworthy.  

The Malware Advisories tab on the Security Information page is a listing of current and significant malware threats with corresponding risk ratings, the dates when they are incorporated into the list, and the pattern files needed to detect them.

Malware-related hoaxes are warnings that contain incorrect information about malware or computer system events. These warnings often describe fantastical or impossible malware program characteristics meant to trick users into performing unwanted actions on their computers. Malware-related hoaxes typically reach users as email and often suggest that users forward them, resulting in a waste of time and bandwidth.

Memory-residency is the ability to stay in computer memory after execution and continuously run. This capability is general expected of certain malware types, specifically backdoors, which stay in memory to await commands. Certain file infectors also stay in memory to infect files as they are opened; while some worms stay in memory to continually send email.

Programs that stay in memory are generally referred to as memory-resident. The files related to these running programs could not be modified, deleted, or moved unless they are terminated.

Multi-partite viruses have characteristics of both boot sector viruses and file infecting viruses.

NE refers to New Executable, which is the standard Windows 16-bit executable file format. Windows 16-bit viruses are detected by Trend products as NE_malwarename.

A network firewall protects a computer network from unauthorized access and is often considered the first line of defense in protecting a computer network against outside threats. On most configurations, data packets entering or leaving a network pass through a firewall, which examines each packet and drops those that do not meet specified criteria. Network firewalls may also be configured to limit how internal users connect externally.

Firewalls, in general, can be implemented as hardware, software, or a combination of both.

Topology refers to the shape of a network, or a network's layout, and can be either physical or logical. A network's topology determines how its nodes are connected and how they communicate. The five most common network topologies are Mesh, Star, Bus, Ring, and Tree.

A network virus is a self-contained program (or set of programs) that can spread copies of itself or its segments across networks, including the Internet. Propagation often takes place via shared resources, such as shared drives and folders, or other network ports and services. Network viruses are not limited to the usual form of files or email attachments, but can also be resident in a computer's memory space alone (often referred to as memory-only worms).

In many cases, network viruses exploit vulnerabilities in the operating system or other installed programs. Some existing network viruses have the ability to spread themselves via legitimate network ports, such as port 80 (HTTP), 1434 (SQL), or 135 (DCOM RPC).

Once a network virus infects a new system, it often searches for other potential targets. It achieves this by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus will attempt to infect the other system as well.

Some network viruses also have payloads, such as denial of service (DoS) attacks. When such an attack is carried out, infected computers will attempt to overwhelm the target system until it is unable to function properly. Example: The MSBLAST virus carried out a denial of service attack against the URL windowsupdate.com.

The most notorious network viruses are CodeRed, Nimda, SQLSlammer, and MSBlast.

CodeRed spreads as a series of packets in system memory via network port 80 (http) by exploiting a vulnerability hole (MS01-033) in Microsoft IIS (Internet Information Service).

Nimda spreads via network port 80 (http) by exploiting a vulnerability hole (MS00-078) in Microsoft IIS (Internet Information Service). Nimda is considered a blended threat, since it also has the ability to spread itself across the network via shared drives and email attachments.

SQLSlammer spreads as a series of packets in system memory via UDP network port 1434 (SQL) by exploiting a vulnerability hole in Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE).

MSBlast spreads via network port 135 (DCOM RPC) by exploiting a vulnerability in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. It also uses several other network ports (UDP 69, TCP 4444) during its propagation.

A password is a character set used to control access to computers systems and files. The use of strong passwords can be critical to securing computer systems as hackers and malware have been known use relatively effective password cracking methods to break through password-protected systems. 

Refer to the Safe Computing Guide (sorted by operating system) for tips on password security.

Password cracking applications are programs that are designed to crack through password-protected systems. Most password cracking applications use a long list of passwords and user names - accessing target systems using the list contents or combinations of the contents until successful.

Although password cracking is generally illicit, many system administrators regularly run password crackers to test passwords employed by network users.

The term payload refers to an action that a malware performs. On the Virus Encyclopedia, payloads listed are all other significant actions performed by a malware apart from its main behavior. For example, payloads for a worm would include all other actions it performs apart from its propation routines.

Payloads can range from something that is relatively harmless, like displaying messages or ejecting the CD drive, to something destructive, like deleting the contents of a hard drive.

PE (Portable Executable) is the standard Win32 executable file format. File infectors that infect 32-bit Windows executables are detected by Trend Micro antivirus as PE_malwarename.

In the Virus Encyclopedia, the place of origin indicates where a virus is believed to have originated.

Platform on the Virus Encyclopedia indicates the computer operating systems or the applications on which a malware can run. The platform fields lists all operating systems and applications. However, a malware may behave differently accross the specified platforms.

Polymorphic viruses are complex file infectors that change physical forms, yet retain the same basic routines, after every infection. Such viruses typically encrypt their codes during each infection, altering their physical file makeup by varying encyrption keys every time.

This capability to change their physical makeup can allow polymorphic viruses to evade antivirus scanners, and can require antivirus products to use complex patterns and newer scan engines.

A port is basically a connection address specified to allow programs on different computers to communicate. This connection address is represented by a port number from 0 to 65536. Like legitimate programs, malware programs that connect to remote systems often use predefined ports. Some malware use random ports that are defined upon connection. System administrators and desktop users can increase system security by controlling the availability of certain ports.

Many ports used by malware and legitimate applications are assigned to specific protocols like HTTP, which uses port 80 by default. IANA maintains a list of port numbers and known uses.

A proof-of-concept is the earliest implementation of an idea. A proof-of-concept malware usually contains code that runs on new platforms and programs or takes advantage of newly discovered vulnerabilities.

Proof-of-concept malware often perform actions that have never been done before. For example, VBS_BUBBLEBOY was a proof-of-concept worm - it was the first email worm to automatically execute without requiring recipients to double-click on an attachment. Most proof-of-concept malware are never seen in-the-wild. However, malware writers will often take the idea (and code) behind a proof-of-concept malware and implement it in future malware.

A proxy server is an Internet connection device. It accepts requests for Internet resources (such as when a Web browser opens a Web page) and attempts to provide the resources if it has it in cache. It will request the page from the actual site if it doesn't have it in cache.

Apart from its caching function, a proxy server can control connection to specific sites and control the use of certain ports. The single point of contact also improves manageability of Internet connections for huge networks.

Some malware have been known to function as proxy servers on infected machines, allowing unauthorized computers to connect to the Internet via infected systems.

This table displays the relative rate of infection in each region. While the "number of computers infected" table reflects the larger numbers of Internet users in North America, Asia and Europe, the "rate of infection" is useful as an estimate of how quickly a virus is spreading in each region. An infection rate of 5%, for example, means that approximately 5 out of 100 computers are infected. Please note that these rates are based only on HouseCall users who have scanned their PC in the last 24 hours. See Trend Micro's Virus Map for additional information.

Also known as remote access tools or RATs, these programs allow users to access and manipulate remote systems. Many remote access programs are legitimate tools used by all types of users to access files and data on remote computers. The same programs, however, can be used for malicious purposes. Malicious individuals can trick unsuspecting users into installing remote access programs on their machines, or they may install these programs themselves.

Reported Infections, or real-time spread, is measured by reports coming in from the World Virus Tracking Center, as well as from Trend Micro business units around the world that are receiving threat reports and support inquiries in their areas. Reports from other antivirus industry vendors, and media attention, also contribute to this factor.

High - reports indicate that the virus has been seen all over the world and with numerous infections per site.

Medium - few reported incidents all over the world or numerous reports in certain regions.

Low - no, or very few, infections reported.

When a case is received, TrendLabs (Trend Micro's global network of antivirus research and product support centers) immediately evaluates the threat and assigns a risk rating of Low, Medium, or High. Several factors contribute to each risk rating.

Scams and shams include hoax email messages that promise material gain or even luck to recipients who forward them to others users. Some luck-based hoaxes, often called chain letters, play on people's fear of bad luck. Money-based hoaxes offer incredibly quick cash for simply forwarding a message. Certain popular email scams have actually tricked users into investing their own money in fruitless investments.

The scan engine is the core program used by Trend Micro antivirus products. It works with the latest virus pattern file to protect against all known malware threats. The latest scan engine naturally carries the most comprehensive protection capabilites, and users are advised to allow their products to automatically update to the latest scan engine or to manually update to it regularly.

The minimum scan engine version specified in the Virus Encyclopedia refers to the lowest engine version tested with the specified pattern against the malware threat being described.

Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host to activate themselves and infect other files. Since Windows Scripting Host is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from Windows Explorer.

HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.

Indicates the size of the virus code in bytes. This number is sometimes used as part of the virus name to distinguish it from its variants.

Most viruses can be cleaned or removed from the infected host files by Trend Micro's antivirus software. Special removal instructions are provided for viruses or Trojans that modify the system registry and/or drop files. Generally, to remove Trojans or Joke programs, you just need to delete the program files - no cleaning action is needed. For a quick check-up of your PC, use HouseCall - Trend Micro's FREE on-line virus scanner. This will check for viruses which may already be on your PC.
To keep your computer healthy by catching viruses before they have a chance to infect your PC or network, get the best antivirus solution available today. Trend Micro offers antivirus and content security solutions for
home users, corporate users, and ISPs.

A spyware is a program that monitors and gathers user information for different purposes. Spyware programs usually run in the background, with their activities transparent to most users.  Many users inadvertently agree to installing spyware by accepting the End User License Agreement (EULA) on certain free software.

Many users consider spyware an invasive form of data gathering. Spyware may also cause a general degradation in both network connection and system performance.

The state of California classifies spyware as: programs that are installed under deceptive circumstances; software that hides in personal computers; software that secretly monitors user activity; keylogging software; and software that collects Web browsing histories.

A stealer is a Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network. Other stealers, called key loggers, log user keystrokes which may reveal sensitive information.

The "technical details" section of the Virus Encyclopedia profile contains specific information about the actions performed by a virus on the host system. This information is provided to assist system administrators in identifying and removing viruses. Home users should use an automated tool like Trend Micro PC-cillin or Trend Micro's FREE online scanner – HouseCall – to detect and remove viruses from their computer.

This chart displays the number of computers infected within the last 24 hours (1d), last 7 days (7d), last year (1y), or since detection first became available (All). See World Virus Tracking Center for additional information.

This table displays the number of infected computers in each of the top 10 countries where this virus has been detected, since detection first became available. See World Virus Tracking Center for additional information.

This indicates the condition or date on which the virus payload will be executed. A condition may range from the presence of a file to an action performed by the user. The date could include year, month, day, week, day of the week, hour, minute, second, or any other possible combination of any measurement of time.

A Trojan is malware that performs unexpected or unauthorized, often malicious, actions. The main difference between a Trojan and a virus is the inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If it replicates, then it should be classified as a virus.

A Trojan, coined from Greek mythology's Trojan horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system s, problems in operation, and sometimes loss of valuable data.

Urban legends are stories told around day-to-day things, but are incorporated with unusual twists in the form of unlikely facts that are difficult to verify. Designed to elicit emotional response, the most popular urban legends are health and animal scares. Many urban legends are gaining popularity as they spread along with other email hoaxes.

The Virus Map is a tool for measuring virus infections around the world. All virus infection data comes from HouseCall, Trend Micro's free, online virus scanner for PCs. Trend Micro has been collecting real-time virus infection statistics since November 1999, therefore statistics for viruses discovered before this date are limited to the timeframe from November 1999 to the present. Visit the Virus Map at wtc.trendmicro.com.

The majority of viruses fall into five main classes:

A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments.