Virus Glossary

Below is a brief list of common virus terms.

Hard disk drives, floppy diskettes, and logical drives (partitions) all have boot sectors where critical drive information is stored. See also partition table, Master Boot Record, and multi-partite viruses.

Boot Sector or MBR Virus

A virus which infects the boot sector of a fixed or floppy disk. Any formatted disk (even one that is blank, or only contains text data, for example) may contain a boot sector virus. An attempt to boot from a diskette infected with a boot sector virus will cause the virus to become active in memory. This type of virus will place a copy of itself on the Master Boot Record (MBR) or the boot sector of the hard drive. Every time you boot your system from that point on, you will have the virus active in memory. These are the most common viruses. Any attempt to disinfect these viruses while a virus is active in memory will be defeated since it will re-write itself to the disk as soon as you remove it. Additionally, many of these are stealth viruses. For safety's sake, you should always attempt to disinfect these viruses after a cold boot to a write-protected diskette.

Circular Infection

A type of infection that occurs when 2 viruses infect the boot sector of a disk, rendering the disk unbootable. Removing one virus will generally cause a re-infection with the other virus. See also Boot Sector or MBR Virus.

CMOS

Complimentary Metal Oxide Semi-Conductor. Critical configuration information is stored in CMOS. Some viruses attempt to alter this data.

Companion Virus

A virus which infects executable files by creating a 'companion' file with the same name but an .COM extension. Since DOS executes .COM files, followed by .EXE files, and finally .BAT files, the virus loads before the executable file.

Cross-Linked Files

Cross-linking is a common phenomena rarely associated with viruses. It occurs when two files appear to share the same clusters on the disk.

Dropper

A dropper is a program containing a virus which has been compressed with PKLite, Diet, LZExe, etc. It has been designed to deposit the virus onto a hard disk, a floppy disk, a file, or into memory. The children of this process are not droppers.

Encryption

Among the most difficult to detect, encrypted viruses use a brief encyrption loop at the start of the program to make the rest of the program unintelligible. This means that scanners relying on signature files have only a few bytes to look for. The encryption key also changes each time a polymorphic virus replicates.

Executable Code

This represents instructions which are 'executable' by the computer. This includes COM, EXE, DLL and similar files. In a broader sense, executable code includes the code found in disk boot sectors, batch files and even macros used by some applications.

False Positive

A false positive occurs when a scanner identifies a file as infected when in fact it is not.

File Stealth Virus

In addition to redirection for the boot information, these viruses attack .COM and .EXE files when opened or copied and hides the file size changes from the DIR command. The major problem arises when an attempt is made to use CHKDSK/F and there appears to be a difference in the reported files size and the apparent size. CHKDSK assumes this is the result of some cross-linked files and attempts to repair the damage. The result is the destruction of the files involved. The FRODO or 4096 virus is famous for this kind of damage. See also Stealth Virus, and Full Stealth Virus.

Full Stealth Virus

In this case, ALL normal calls to file locations are cached while the virus subtracts its own length so that it appears clean. See also Stealth Virus, and File Stealth Virus.

Heuristics

A rule-based method of identifying new viruses. This method of scanning does not rely on specific virus signatures. The advantage of the heuristic scan is that it is not fooled by a new variant of an existing virus. However, it might occasionally report suspicious code in normal programs. For example, the scanning of a program may generate the message:
C:\DOS\MSHERC.COM has been modified by adding some code at the end. Ths does not appear to be a virus, but might be a self-checking routine or some "wrapper" program.

F-PROT will issue a stronger warning based on the likelihood of a program really containing a virus.

Integrity Checker

A program which checks for changes to files. Integrity checkers, when used correctly, can provide an excellent second line of defense against new viruses or variants.

In the Wild

Viruses found "in the wild" are viruses which are known to be spreading, as opposed to viruses which are not currently spreading, but are confined "in the zoo."

Joke Programs

F-PROT detects the presence of several well-known joke programs which can interrupt the normal operation of a PC. While joke programs are generally not harmful in any way, their side effects are often mistaken for those of a virus.

Logic Bomb

A logic bomb is a program which will execute a pre-programmed routine (frequently destructive) when a designated condition is met. Logic bombs do not make copies of themselves.

Macro Virus

A macro virus is a virus written in one of the many macro languages. The macro viruses spread via infected files, which can be documents, spreadshetts, databases, or any computer program which allows use of a macro language. At present, these viruses can infect Microsoft Word and Lotus Ami Pro documents. See also Macro Virus information section.

Malware

A generic name for software which intentionally performs actions which can damage data or disrupt systems.

Master Boot Record

On all PC fixed disks, the first physical sector is reserved for a short bootstrap program. This sector is the Master Boot Record (MBR). It also includes the partition table. See also Boot Sector and Boot Sector or MBR Virus.

Memory-Resident

Residing in computer memory as opposed to on a disk.

Multi-Partite

A virus which able to infect both files and boot sectors is said to be multi-partite. Such viruses are highly infectious.

Partition Table

PC disks are often split in logical blocks known as partitions. Information required to access these partitions, as well as a flag which indicates which partition should be used to boot the system (the active partition) is stored in the Master Boot Record. See also boot sector, boot sector and MBR viruses.

Polymorphism

A virus is said to be polymorphic if its code appears to be different every time it replicates (though generally each replication of the virus is functionally identical). This is usually achieved by encrypting the body of the virus, and adding a decryption routine which is different for each replication. When a polymorphic virus replicates, a portion of the decryption code is modified. Additionally, random, do-nothing blocks of code can be embedded in the program and are shuffled around to further vary the signature. In essence, it looks like a different program to virus scanners.

Stealth Virus

These viruses actively hide themselves while running. The first common virus, the BRAIN (discovered in the wild in 1986), was a stealth virus. It infected the boot sector of a floppy diskette and any attempt to read the boot sector with BRAIN active would be redirected to a copy of the original boot sector someplace else on the diskette. See also File Stealth and Full Stealth.

Trojan, Trojan Horse

A Trojan (or Trojan Horse) is a program which carries out an unauthorized function while hidden inside an authorized program. It is designed to do something other than what it claims to, and frequently is destructive in its actions.

Tunneling

Viruses that use tunneling techniques redirect all hard drive calls between their location in RAM and the operating system. This allows them to bypass any anti-viral products in memory at that time.

Virus

A virus is an independent program which reproduces itself. It may attach to other programs; it may create copies of itself (see companion viruses). It may attach itself to any executable code, including but not limited to boot sectors and/or partition sectors of hard and/or floppy disks. It may damage, corrupt or destroy data, or degrade system performance.

Virus Simulator

A virus simulator is a program which creates files that "look like" viruses. Such files are questionable for testing purposes because they are not really infected. F-PROT will not to be fooled by a simulator.

Virus Variant

A variant is a modification of a previously known virus, i.e., a variation.

Worm

A worm is a program which reproduces by copying itself over and over, system to system. Worms are self-contained and generally use networks to spread.