ActiveX controls are components that add dynamic and interactive features to Web pages. With ActiveX tools, multimedia effects, animation, and functional applications can be added to Web sites. HouseCall, Trend Micro's online virus scanner is an example of the application of ActiveX.

ActiveX controls are typically installed with user permission. However, security measures can be circumvented. In some instances, ActiveX components in Web pages are able to run automatically when the Web pages are opened. Visiting users are also sometimes tricked into accepting unwanted ActiveX controls. The unauthorized installation and execution of ActiveX controls can open opportunities for malicious code to install components or to make modifications on visiting systems.

Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance.

Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software.

Adware are also often installed in tandem with spyware programs. Both programs feed off of each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profiles.

The Computer Antivirus Research Organization (CARO) sets the standard for naming malware and other malicious codes. However, antivirus vendors often have their own approaches towards detection, which can result in different naming. Aliases on the Virus Encyclopedia, indicate the other names used to refer to the same malware.

The term backdoor often refers to backdoor programs - applications that open computers for access by remote systems. These programs typically respond to specially-built client programs, but can be designed to respond to legitimate messaging applications. Many backdoor programs actually make use of the IRC backbone, receiving commands from common IRC chat clients via the IRC network.

Backdoor programs (detected by Trend Micro antivirus as BKDR_malwarename) typically cannot propagate on their own.

Boot sector viruses infect the boot sector or the partition table of a disk. Computer systems are typically infected by these viruses when started with infected floppy disks - the boot attempt does not have to be successful for the virus to infect the computer hard drive. Once a computer is infected, boot sector viruses usually attempt to infect every disk accessed on the infected system. In general, boot sector viruses can be successfully removed.

There are a few viruses that can infect the boot sector after executing as a program. They are known as multi-partite viruses and are relatively rare.

The Damage Cleanup Template / Engine is the automated cleanup component of Trend Micro antivirus products. Trend Micro antivirus provides automated cleanup for all critical malware threats via this template and engine package, which is initiated upon malware detection. The Damage Cleanup Template / Engine can also be used as a standalone cleanup package.

A malware's damage potential rating may be high, medium, or low based on its inherent capacity to cause both direct and indirect damage to systems or networks. Certain malware are designed specifically to delete or corrupt files, causing direct damage. Denial of service (DoS) malware may also cause direct and intended damage by flooding specific targets. Mass-mailers and network worms usually cause indirect damage when they clog mail servers and network bandwidth, respectively.

High
- System becomes unusable (e.g. flash bios, format HDD)
- System data or files are unrecoverable (e.g. encryption of data)
- System cannot be automatically recovered using tools
- Recovery requires restoring from backup
- Causes large amounts of network traffic (packet flooders, mass-mailers)
- Data/files are compromised and sent to a third party (backdoor capabilities)

Medium
- System/files can be recovered using Trend Micro products or cleaning tools
- Minor data/file modification (e.g. file infectors)
- Malware that write minimal amount of data to the disk
- Malware that kill applications in memory
- Causes medium amount of network traffic (e.g. slow mailers)
- Automatically executes unknown programs
- Deletes security-related applications (e.g. antivirus, firewall)

Low
- No system changes
- Deletion of less significant files in the system
- Changes can be recovered by users without using any tools
- Damage can be reversed just by restarting the system

Data Miners are applications that monitor, analyze, and collect specific information found in a database or volume of data from various sources. Data miners are not always used with malicious intent. Data mining programs allow companies to compile important client information, in order to enhance their services.

Data miners may be used by Web sites to monitor, analyze, and collect particular user activities on a computer to collect information that typically will be used for marketing purposes. Usually, data miners are uploaded to a computer to search for Web sites visited, products searched, and services used. The data is then sent back to be used for targeted advertising.

Data miners may be used maliciously and have been used to steal personal information like logon credentials and credit card numbers.

Dialers, as the name implies, dial to predefined numbers to connect to certain sites. Many users run dialers without knowing that some of these programs actually dial long distance numbers or connect to pay-per-call sites; and that they are being charged for the calls. Dialers are often offered as programs for accessing adult sites.

See Denial of service.

Distribution potential is derived from the characteristics of the malicious program. Fast-spreading network worms can spread across continents within just minutes. Some malicious programs also use numerous infection and spreading techniques – often referred to as blended threats or mixed threats. The Nimda virus, for example, was able to spread via email, network shares, infected Web sites, as well as Web traffic (http/port 80).

As new systems are made and improved with added functionality, proof-of-concept malware often follows. This uniqueness, as well as the widespread implementation of a particular operating system or software, also influences the potential distribution of each malware. Many viruses written in the past do not run or spread on newer operating systems or operating systems that have all the latest security patches installed.

High
- Blended threats (i.e. spreads via email, P2P, IM, network shares)
- Mass mailers
- Spreads via network shares

Medium
- Mailers
- has spread via third-party or media
- spreads in IRC, IM, or P2P
- requires user intervention to spread
- URL/Web site download

Low
- no network spreading
- requires manual distribution to spread

Droppers are programs designed to extract other files from their own code. Typically, these programs extract several files into the computer to install a malicious program package. Droppers may have other functions apart from dropping files.

Encryption is the process of converting data into a form that could not be easily read without knowledge of the conversion mechanism (often called key).

Certain malware have the ability to encrypt their own physical copies such that they are able to evade antivirus scanners trying to match them with physical sigantures of available samples. More complex malware use variable encryption keys for each new copy, requiring more complex formula-based patterns from antivirus vendors.

An End User License Agreement or EULA is a legal contract between a software publisher and the software user. It typically outlines restrictions on the side of the user, who can refuse to enter into the agreement by not clicking "I accept" during installation. Clicking "I do not accept" will, of course, end the installation of the software product.

Many users inadvertently agree to the installation of spyware and adware into their computers when they click "I accept" on EULA prompts displayed during the installation of certain free software.

An exploit is code that takes advantage of a software vulnerability or security hole. Exploits are often incorporated into malware, which are consequently able to propagate into and run intricate routines on vulnerable computers.

Malware tagged in-the-wild on the Virus Encyclopedia are malware found to have infected real world computers. Infection monitoring is done using the Trend Micro World Virus Tracking Center. The Virus Encyclopedia tag may or may not reflect the list provided by www.wildlist.org.

Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. They are small, portable Java programs embedded in HTML pages and can run automatically when the pages are viewed. Malware authors have used Java applets as a vehicle for attack. Most Web browsers, however, can be configured so that these applets do not execute - sometimes by simply changing browser security settings to "high."

Joke programs are considered relatively harmless and are often designed to annoy or make fun of users. They do not infect files, cause damage, or spread to other systems.

Many joke programs are designed to cause unnecessary panic - especially those that cause computers to behave as if something has been damaged. Abnormal system behaviors caused by joke programs include the closing and opening of the CD-ROM tray and the display of numerous message boxes.

Keyloggers are programs that log keyboard activity. Certain malware employ these programs to gather user information. There are also legitimate keylogging programs that are used by corporations to monitor employees and by parents to monitor their children. Keyloggers usually catch and store all keyboard activity - leaving a person or another application to sort through the keystroke logs for valuable information like logon credentials and credit card numbers.

Kits are malware-generating applications that often provide users the option to create customized malware. Most kits can produce multiple variations of a malware. Many have been used to generate new variants of existing worms. Antivirus scanners should be capable of detecting kits and their spawn.

During the late 1990s and early 2000, macro viruses were the most prevalent viruses. Unlike other virus types, macro viruses are not specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.

Popular applications that support macros (such as Microsoft Word and Microsoft Excel) are the most common platforms for this type of virus.  These viruses are written in Visual Basic and are relatively easy to create. Macro viruses infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted.

A malware is a program that performs unexpected or unauthorized, often malicious, actions. It is a general term used to refer to both viruses and Trojans, which respectively include replicating and non-replicating malicious code.

Trend Micro issues advisories to inform users of newly discovered malware threats that are either already prevalent or will likely spread. Advisories may also cover proof-of-concept malware and old malware that have recently become newsworthy.  

The Malware Advisories tab on the Security Information page is a listing of current and significant malware threats with corresponding risk ratings, the dates when they are incorporated into the list, and the pattern files needed to detect them.

Malware-related hoaxes are warnings that contain incorrect information about malware or computer system events. These warnings often describe fantastical or impossible malware program characteristics meant to trick users into performing unwanted actions on their computers. Malware-related hoaxes typically reach users as email and often suggest that users forward them, resulting in a waste of time and bandwidth.

Memory-residency is the ability to stay in computer memory after execution and continuously run. This capability is general expected of certain malware types, specifically backdoors, which stay in memory to await commands. Certain file infectors also stay in memory to infect files as they are opened; while some worms stay in memory to continually send email.

Programs that stay in memory are generally referred to as memory-resident. The files related to these running programs could not be modified, deleted, or moved unless they are terminated.

Multi-partite viruses have characteristics of both boot sector viruses and file infecting viruses.

A network firewall protects a computer network from unauthorized access and is often considered the first line of defense in protecting a computer network against outside threats. On most configurations, data packets entering or leaving a network pass through a firewall, which examines each packet and drops those that do not meet specified criteria. Network firewalls may also be configured to limit how internal users connect externally.

Firewalls, in general, can be implemented as hardware, software, or a combination of both.

A network virus is a self-contained program (or set of programs) that can spread copies of itself or its segments across networks, including the Internet. Propagation often takes place via shared resources, such as shared drives and folders, or other network ports and services. Network viruses are not limited to the usual form of files or email attachments, but can also be resident in a computer's memory space alone (often referred to as memory-only worms).

In many cases, network viruses exploit vulnerabilities in the operating system or other installed programs. Some existing network viruses have the ability to spread themselves via legitimate network ports, such as port 80 (HTTP), 1434 (SQL), or 135 (DCOM RPC).

Once a network virus infects a new system, it often searches for other potential targets. It achieves this by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus will attempt to infect the other system as well.

Some network viruses also have payloads, such as denial of service (DoS) attacks. When such an attack is carried out, infected computers will attempt to overwhelm the target system until it is unable to function properly. Example: The MSBLAST virus carried out a denial of service attack against the URL windowsupdate.com.

The most notorious network viruses are CodeRed, Nimda, SQLSlammer, and MSBlast.

CodeRed spreads as a series of packets in system memory via network port 80 (http) by exploiting a vulnerability hole (MS01-033) in Microsoft IIS (Internet Information Service).

Nimda spreads via network port 80 (http) by exploiting a vulnerability hole (MS00-078) in Microsoft IIS (Internet Information Service). Nimda is considered a blended threat, since it also has the ability to spread itself across the network via shared drives and email attachments.

SQLSlammer spreads as a series of packets in system memory via UDP network port 1434 (SQL) by exploiting a vulnerability hole in Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE).

MSBlast spreads via network port 135 (DCOM RPC) by exploiting a vulnerability in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. It also uses several other network ports (UDP 69, TCP 4444) during its propagation.

A password is a character set used to control access to computers systems and files. The use of strong passwords can be critical to securing computer systems as hackers and malware have been known use relatively effective password cracking methods to break through password-protected systems. 

Refer to the Safe Computing Guide (sorted by operating system) for tips on password security.

Password cracking applications are programs that are designed to crack through password-protected systems. Most password cracking applications use a long list of passwords and user names - accessing target systems using the list contents or combinations of the contents until successful.

Although password cracking is generally illicit, many system administrators regularly run password crackers to test passwords employed by network users.

The term payload refers to an action that a malware performs. On the Virus Encyclopedia, payloads listed are all other significant actions performed by a malware apart from its main behavior. For example, payloads for a worm would include all other actions it performs apart from its propation routines.

Payloads can range from something that is relatively harmless, like displaying messages or ejecting the CD drive, to something destructive, like deleting the contents of a hard drive.

Platform on the Virus Encyclopedia indicates the computer operating systems or the applications on which a malware can run. The platform fields lists all operating systems and applications. However, a malware may behave differently accross the specified platforms.

Polymorphic viruses are complex file infectors that change physical forms, yet retain the same basic routines, after every infection. Such viruses typically encrypt their codes during each infection, altering their physical file makeup by varying encyrption keys every time.

This capability to change their physical makeup can allow polymorphic viruses to evade antivirus scanners, and can require antivirus products to use complex patterns and newer scan engines.

A port is basically a connection address specified to allow programs on different computers to communicate. This connection address is represented by a port number from 0 to 65536. Like legitimate programs, malware programs that connect to remote systems often use predefined ports. Some malware use random ports that are defined upon connection. System administrators and desktop users can increase system security by controlling the availability of certain ports.

Many ports used by malware and legitimate applications are assigned to specific protocols like HTTP, which uses port 80 by default. IANA maintains a list of port numbers and known uses.

A proof-of-concept is the earliest implementation of an idea. A proof-of-concept malware usually contains code that runs on new platforms and programs or takes advantage of newly discovered vulnerabilities.

Proof-of-concept malware often perform actions that have never been done before. For example, VBS_BUBBLEBOY was a proof-of-concept worm - it was the first email worm to automatically execute without requiring recipients to double-click on an attachment. Most proof-of-concept malware are never seen in-the-wild. However, malware writers will often take the idea (and code) behind a proof-of-concept malware and implement it in future malware.

A proxy server is an Internet connection device. It accepts requests for Internet resources (such as when a Web browser opens a Web page) and attempts to provide the resources if it has it in cache. It will request the page from the actual site if it doesn't have it in cache.

Apart from its caching function, a proxy server can control connection to specific sites and control the use of certain ports. The single point of contact also improves manageability of Internet connections for huge networks.

Some malware have been known to function as proxy servers on infected machines, allowing unauthorized computers to connect to the Internet via infected systems.

Reported Infections, or real-time spread, is measured by reports coming in from the World Virus Tracking Center, as well as from Trend Micro business units around the world that are receiving threat reports and support inquiries in their areas. Reports from other antivirus industry vendors, and media attention, also contribute to this factor.

High - reports indicate that the virus has been seen all over the world and with numerous infections per site.

Medium - few reported incidents all over the world or numerous reports in certain regions.

Low - no, or very few, infections reported.

The scan engine is the core program used by Trend Micro antivirus products. It works with the latest virus pattern file to protect against all known malware threats. The latest scan engine naturally carries the most comprehensive protection capabilites, and users are advised to allow their products to automatically update to the latest scan engine or to manually update to it regularly.

The minimum scan engine version specified in the Virus Encyclopedia refers to the lowest engine version tested with the specified pattern against the malware threat being described.

HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.

A spyware is a program that monitors and gathers user information for different purposes. Spyware programs usually run in the background, with their activities transparent to most users.  Many users inadvertently agree to installing spyware by accepting the End User License Agreement (EULA) on certain free software.

Many users consider spyware an invasive form of data gathering. Spyware may also cause a general degradation in both network connection and system performance.

The state of California classifies spyware as: programs that are installed under deceptive circumstances; software that hides in personal computers; software that secretly monitors user activity; keylogging software; and software that collects Web browsing histories.

This indicates the condition or date on which the virus payload will be executed. A condition may range from the presence of a file to an action performed by the user. The date could include year, month, day, week, day of the week, hour, minute, second, or any other possible combination of any measurement of time.

A Trojan is malware that performs unexpected or unauthorized, often malicious, actions. The main difference between a Trojan and a virus is the inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If it replicates, then it should be classified as a virus.

A Trojan, coined from Greek mythology's Trojan horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system s, problems in operation, and sometimes loss of valuable data.

The majority of viruses fall into five main classes:
Boot-sector
File-infector
Multi-partite
Macro
Worm