Virus Glossary

ActiveX malicious code
ActiveX controls allow Web developers to create interactive, dynamic Web pages with broader functionality. An ActiveX control is a component object embedded in a Web page which runs automatically when the page is viewed. In many cases, the Web browser can be configured so that these ActiveX controls do not execute by changing the browser’s security settings to “high.” However, hackers, virus writers, and others who wish to cause mischief or worse may use ActiveX malicious code as a vehicle to attack the system. To remove malicious ActiveX controls, you just need to delete them.

Adware is a software application that displays advertising banners while the program is running. Adware often contains spyware in order for the program to know which advertisements to display based on the current user’s preference.

The Computer Antivirus Research Organization (CARO) sets the standard for naming malware and malicious codes. However, since every antivirus vendor has its own approach and technology in scanning, more often this contributes to different naming. Therefore, malware may be known by several different names or aliases. By providing an alias, it informs the user of the various names used by different vendors to detect the same malware.

A Backdoor is a program that opens secret access to systems, and is often used to bypass system security. A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications. For detailed removal instructions please view the virus description.

Boot sector viruses
Boot sector viruses infect the boot sector or partition table of a disk. Computer systems are most likely to be attacked by boot sector viruses when you boot the system with an infected disk from the floppy drive – the boot attempt does not have to be successful for the virus to infect the hard drive. Also, there are a few viruses that can infect the boot sector from executable programs- these are known as multi-partite viruses and they are relatively rare. Once the system is infected, the boot sector virus will attempt to infect every disk that is accessed by that computer. In general, boot sector viruses can be successfully removed.

Computers infected since (date)
This table displays the number of infected computers, by region, since detection first became available for this virus.

Damage Potential
Damage potential and danger to systems is derived from the characteristics of the malicious program. Some malicious programs have been known to attack important operating system files, leaving the system unstable or unable to re-boot.High
– system becomes unuseable (i.e. flash bios, format HDD)
– system data or files are unrecoverable (i.e. encryption of data)
– system cannot be automatically recovered using tools
– recovery requires restoring from backup
– Causes large amounts of network traffic (packet flooders, mass mailers)
– Data/files are sent to a third party

– can be recovered using Etomic Mail products or cleaning tools
– Minor data/file modification (i.e. File infectors)
– malware that write minimal amount of data to the disk
– malware that kill applications in memory
– causes medium amount of network traffic (i.e. slow mailers)
– Automatically executes unknown programs
– deletes security reletad applications (i.e. antivirus, firewall)

– no system changes
– deletion of less significant files in the system
– damage can be recovered by users without using any tools
– damage can be reversed just by rebooting the system

Date of origin
Indicates when a virus was first discovered (if known).

Denial of Service
Denial of Service, or DoS, is a Trojan routine that interrupts or inhibits the normal flow of data into and out of a system. Most DoS attacks consume system resources, such that, in a short period of time, the target is rendered useless. Another form of DoS attack happens when a Web service is accessed massively and repeatedly from different locations, preventing other systems from accessing the service and from retrieving data from it.

Destructive viruses
In addition to self-replication, computer viruses may have a routine that can deliver the virus payload. A virus is defined as destructive if its payload does some damage to your system, such as corrupting or deleting files, formatting your hard drive, and committing Denial of Service (DoS) attacks.

Dialers are Trojans that, upon execution, connect the system to a pay-per-call location in which the unsuspecting user is billed for the call without his/her knowledge. Dialers often arrive in porn-related or other enticing service-related applications.

Distribution Potential
Distribution potential is derived from the characteristics of the malicious program. Fast-spreading network worms can spread across continents within just minutes. Some malicious programs also use numerous infection and spreading techniques – often referred to as blended threats or mixed threats. The Nimda virus, for example, was able to spread via email, network shares, infected Web sites, as well as Web traffic (http/port 80).As new systems are made and improved with added functionality, proof-of-concept malware often follows. This uniqueness, as well as the widespread implementation of a particular operating system or software, also influences the potential distribution of each malware. Many viruses written in the past do not run or spread on newer operating systems or operating systems that have all the latest security patches installed.

– Blended threats (i.e. spreads via email, P2P, IM, network shares)
– Mass mailers
– Spreads via network shares

– Mailers
– has spread via third-party or media
– spreads in IRC, IM, or P2P
– requires user intervention to spread
– URL/Web site download

– no network spreading
– requires manual distribution to spread

A dropper is malware that drops other malware into a system. Some droppers just drop viruses or Trojans, while others are viruses or Trojans that – after performing their payload – also drop copies of other malware into the system.

ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables.

Encrypted Viruses
Encrypted viruses indicate that the virus code contains a special routine that employs data obscuring techniques to evade detection by antivirus software. Etomic Mail’s antivirus products have the ability to decrypt the virus and detect such viruses.

An exploit is a Trojan that abuses certain vulnerabilities on existing systems or services. Exploits typically utilize a known flaw, which allows it to execute an otherwise difficult routine, such as running an arbitrary program on the target machine.

File infecting viruses
File infecting viruses infect executable programs (generally, files that have extensions of .com or .exe). Most such viruses simply try to replicate and spread by infecting other host programs – but some inadvertently destroy the program they infect by overwriting some of the original code. There is a minority of these viruses that are very destructive and attempt to format the hard drive at a pre-determined time or perform some other malicious action. In many cases, a file-infecting virus can be successfully removed from the infected file. If the virus has overwritten part of the program’s code, the original file will be unrecoverable.

Hoaxes are warnings that contain incorrect information about malware or system events. These warnings often describe fantastical or impossible malware program characteristics that often fool the user into performing unwanted actions on their system or suggests that users should forward the warning to other users. A hoax can be considered a nuisance by the mere fact that by forwarding it causes a waste of time and bandwidth.

In-the-Wild virus list
Malware that is designated as being In-the-Wild refers to common viruses that have been found infecting users’ computers worldwide. The list is compiled by The WildList Organization (WLO). WLO updates the list regularly, working closely with antivirus research teams around the world. When ICSA (International Computer Security Association) conducts virus testing of antivirus products, the In-the-Wild virus list serves as the basis for its comparative analysis. More info:

Java malicious code
Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. Java applets are small, portable Java programs embedded in HTML pages. They can run automatically when the pages are viewed. However, hackers and virus writers may use Java malicious code as a vehicle to attack the system. In many cases, the Web browser can be configured so that these applets do not execute by changing the browser’s security settings to “high.”

Joke programs
Joke programs are ordinary executable programs. They are added to the detection list because they are found to be very annoying and/or they contain pornographic images. Joke programs cannot spread unless someone deliberately distributes them. To get rid of a Joke program, delete the file from your system.

Keyloggers are Trojans that, upon execution, log every keystroke or activity in a system. Although similar to third-party parenting/monitoring software, some malware actually employ the same technique to gather valuable data from unsuspecting users.

Kits are malware-producing applications that give the user the option to create customized malware. A kit can often produce multiple variations of a virus or a worm depending on the number of options offered in the kit. An antivirus scanner should be capable of detecting the source (kit application) and its spawn.

This refers to the language locale of the virus working platform such as MS Word in English or Chinese.

Macro Viruses
Macro viruses during late 1990 and early 2000 were the most prevalent viruses. Unlike other virus types, macro viruses aren’t specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.Macro viruses are written in “every man’s programming language” – Visual Basic – and are relatively easy to create. They can infect at different points during a file’s use, for example, when it is opened, saved, closed, or deleted.

Malware is a general term used to refer to any unexpected or malicious programs or mobile codes such as viruses, Trojan, worm, or Joke programs.

Multi-partite Viruses
Multi-partite viruses have characteristics of both boot sector viruses and file infecting viruses.

NE refers to New Executable, which is the standard Windows 16-bit executable file format. Windows 16-bit viruses are detected by Trend products as “NE_Virusname.”

Some viruses set a password when they infect a document. The main objective of the virus here is to make the document inaccessible. This password can be a word, phrase, or even a randomly generated number.

Payload refers to an action that a virus performs on the infected computer. This can be something relatively harmless like displaying messages or ejecting the CD drive, or something destructive like deleting the entire hard drive.

PE refers to Portable Executable, which is the standard Win32 executable file format.

Place of Origin
Indicates where a virus is believed to have originated (if known).

Indicates the computer operating system or application on which a virus can run and perform an infection. Generally, a particular operating system is required for executable viruses and a specific application is needed for macro viruses.

Polymorphic Viruses
Polymorphic viruses indicate that the virus code contains a special routine that changes the other parts of the virus code on each replication to evade detection by antivirus software. Etomic Mail’s antivirus products have the ability to decrypt the virus and detect such viruses.

Proof of Concept
A proof of concept virus or Trojan indicates that something is new or that it has never seen before. For example, VBS_Bubbleboy was a proof of concept worm, as it was the first email worm to automatically execute without requiring a user to double-click on an attachment. Most proof of concept viruses are never seen in-the-wild. However, virus writers will often take the idea (and code) from a proof of concept virus and implement it in future viruses.

Rate of Infection
This table displays the relative rate of infection in each region. While the “number of computers infected” table reflects the larger numbers of Internet users in North America, Asia and Europe, the “rate of infection” is useful as an estimate of how quickly a virus is spreading in each region. An infection rate of 5%, for example, means that approximately 5 out of 100 computers are infected. Please note that these rates are based only on HouseCall users who have scanned their PC in the last 24 hours.

Reported Infections
Reported Infections, or real-time spread, is measured by reports coming in from the World Virus Tracking Center. Reports from other antivirus industry vendors, and media attention, also contribute to this factor.High – reports indicate that the virus has been seen all over the world and with numerous infections per site.

Medium – few reported incidents all over the world or numerous reports in certain regions.

Low – no, or very few, infections reported.

Risk rating
When a case is received, TrendLabs (Etomic Mail’s global network of antivirus research and product support centers) immediately evaluates the threat and assigns a risk rating of Low, Medium, or High. Several factors contribute to each risk rating.

Script viruses (VBScript, JavaScript, HTML)
Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft’s Windows Scripting Host to activate themselves and infect other files. Since Windows Scripting Host is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from Windows Explorer.HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.

Size of macro/malicious code/virus
Indicates the size of the virus code in bytes. This number is sometimes used as part of the virus name to distinguish it from its variants.

Most viruses can be cleaned or removed from the infected host files by Etomic Mail’s antivirus software. Special removal instructions are provided for viruses or Trojans that modify the system registry and/or drop files. Generally, to remove Trojans or Joke programs, you just need to delete the program files – no cleaning action is needed.To keep your computer healthy by catching viruses before they have a chance to infect your PC or network, get the best antivirus solution available today. Etomic Mail offers antivirus and content security solutions for home users, corporate users, and ISPs.

>Spyware is a software applications that monitors a user’s computing habits and personal information and sends this information to third parties without the user’s authorization or knowledge.

A stealer is a Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network. Other stealers, called key loggers, log user keystrokes which may reveal sensitive information.

Technical details
The “technical details” section of the Virus Encyclopedia profile contains specific information about the actions performed by a virus on the host system. This information is provided to assist system administrators in identifying and removing viruses.

Time period
This chart displays the number of computers infected within the last 24 hours (1d), last 7 days (7d), last year (1y), or since detection first became available (All).

Top 10 countries
This table displays the number of infected computers in each of the top 10 countries where this virus has been detected, since detection first became available.

Trigger Condition/Trigger Date
This indicates the condition or date on which the virus payload will be executed. A condition may range from the presence of a file to an action performed by the user. The date could include year, month, day, week, day of the week, hour, minute, second, or any other possible combination of any measurement of time.

A Trojan is malware that performs unexpected or unauthorized, often malicious, actions. The main difference between a Trojan and a virus is the inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If it replicates, then it should be classified as a virus.A Trojan, coined from Greek mythology’s Trojan horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system s, problems in operation, and sometimes loss of valuable data.

Virus Map
The Virus Map is a tool for measuring virus infections around the world.

Virus Types
The majority of viruses fall into five main classes:

A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments.

Leave a Comment

Your email address will not be published. Required fields are marked *