Glossary of Virus
Related Terms
A B C D E F G H I L M O P R S T V W Z
|
| A |
- Anti-antivirus
Virus
- A virus that attacks,
disables, or avoid infecting specific anti-virus
software. Also called a retrovirus.
- Antivirus Virus
- A virus that
specifically looks for and removes another virus.
|
| B |
- Back Door
- A feature built into a
program by its designer, which allows the
designer special privileges that are denied to
the normal users of the program. A back door in
an EXE or COM program, for instance, could enable
the designer to access special set-up functions.
- Bimodal Virus
- A virus that infects
both boot records and files. Also called bipartite
or multipartite. See File-infecting virus and Boot-sector-infecting
virus.
- Boot
- To start a computer so that it is
ready to run programs for the user. A PC can be
booted either by turning its power on, or by
pressing Ctrl+Alt+Del.
- Boot Records
- Those areas on diskettes or hard
disks that contain some of the first instructions
executed by a PC when it is booting. Boot records
must be loaded and executed in order to load the
operating system. Viruses that infect boot
records change the boot records to include a copy
of themselves. When the PC boots, the virus
program is run and will typically install itself
in memory before the operating system is loaded.
- Boot-sector-infecting virus
- Some viruses infect the boot
records of hard disks and diskettes. They
typically do so by replacing the existing boot
record with their own code. The virus is executed
when the system is booted from the hard disk or
diskette, and installs its own code in the
system's memory so that it can infect other hard
disks or diskettes later. Once that has happened,
the virus will usually execute the normal boot
program, which it stores elsewhere on the disk.
- Bug
- An error in the design or
implementation of a program that causes it to do
something that neither the user nor the program
author had intended to be done.
|
| C |
- CERT
- Computer Emergency
Response Team. These are the people who are
responsible for coordinating the response to
virus incidents in an organization.
- Cluster virus
- A virus that infects
disks or diskettes by modifying their file
systems so that every program file entry points
to the virus code. The virus code only exists in
one physical place on the disk, but running any
program on the disk will run the virus as well.
So, cluster viruses can appear to infect every
program on a disk.
- COM File
- A PC-DOS binary image
that is loaded into memory. It has restrictions
in size and method of program load. It generally
loads somewhat faster than an EXE file and has a
simpler structure.
- Companion virus
- A virus that creates a
new program with the same file name as an
existing program, but in a different place or
with a different file type, so that typing the
program's name on the command line causes the
virus program to be executed instead of the
original program. For instance, a companion virus
could create a file name FOO.COM that contained
its code, if a program named FOO.EXE already
existed. When the user types FOO on the command
line, FOO.COM would get executed instead of
FOO.EXE.
- CRC
- Cyclic Redundancy
Code. A CRC is a type of checksum. A checksum
algorithm takes a file (or other string of bytes)
and calculates from it a few bytes (the checksum)
that depend on the entire file. The idea is that,
if anything in the file changes, the checksum
will change. CRC checksums are usually used to
detect random, uncorrelated changes in files.
|
| D |
- DOS
- See PC-DOS.
|
| E |
- EXE File
- A PC-DOS executable
file similar to a COM file, except that it is not
restricted in size (except for memory
limitations), and that it may contain relocatable
code.
|
| F |
- FAPI
- See Family API.
- Family API
- An application programming
interface which allows a properly written program
to work under both OS/2 and DOS. Family API
programs have an OS/2 fork,
which contains OS/2-specific code, and a DOS fork, which contains PC-DOS-specific
code. In many cases, PC-DOS viruses that try to
infect Family API applications get confused and
end up damaging the program. Infected Family API
applications often just do not work, rather than
spread the infection.
- File-infecting virus
- Some viruses infect executable
files. There are a variety of mechanisms that
they use to do so. Usually, the virus will get
control when the program is first executed. In
most cases, the virus will return control to the
original program after it has completed its own
execution.
|
| G |
- Garden of Eden
Mechanism
- A mechanism used only
in the author's original copy of the virus and
not in subsequent generations of it. It is
sometimes possible to determine when a copy of a
virus is the author's original copy by noticing
that such a mechanism is functional. Also called
a germ or generation one virus.
|
| H |
- HICL
- See High Integrity Computing
Laboratory.
- High Integrity Computing
Laboratory
- The group at the IBM Thomas J.
Watson Research Center responsible for IBM
AntiVirus research and development. The group
carries out studies of viral spread and behavior,
and develops customer solutions.
|
| I |
- IBM AntiVirus
- IBM's premiere
anti-virus software for DOS, Windows, Windows 95,
Windows NT, OS/2 and Novell NetWare. It is a
standard part of IBM AntiVirus Services. Versions
are available for use on individual PCs, for
installation on client PCs from network servers,
and for execution on client PCs from network
servers.
- Integrity
- That aspect of
security that deals with the correctness of
information or its processing. An attack on
integrity would seek to erase a file that should
not be erased, alter an element of a database
improperly, corrupt the audit trail for a series
of events, propagate a virus, etc.
- I/S
- Information Systems.
This usually refers to the organization which is
responsible for the internal computing systems of
an enterprise.
|
| L |
- Logic Bomb
- A Trojan Horse, which is left within a computing
system with the intent of it executing when some
condition occurs. The logic bomb could be
triggered by a change in a file, by a particular
input sequence to the program, or at a particular
time or date (see Time Bomb).
Logic bombs get their name from malicious actions
that they can take when triggered.
|
| M |
- Malicious Code
- Any program or piece
of code designed to do damage to a system or the
information it contains, or to prevent the system
from being used in its normal manner.
- Master Boot Records
- Those boot records on
PC hard disks that define the structure of the
information on the disk. There is only one master
boot record on each physical hard disk. Each
logical disk drive (C:, D:, etc.) has a system
boot record associated with it. See Boot Records and System
Boot Records.
- Mutant
- See Variant.
- MBR
- See Master Boot Records.
|
| O |
- OS/2
- An operating system
sold by IBM for IBM PC, and compatible computers.
It is a multi-tasking operating system which can
run many PC-DOS and Windows programs.
|
| P |
- PC
- As used in this
document, PC refers to any IBM PC or
PC-like computer.
- PC-DOS
- An operating system
sold by IBM for the IBM PC and compatible
computers. Microsoft Corp. produces a
functionally similar version of this operating
system called MS-DOS. Viruses that infect PC-DOS
systems almost always infect MS-DOS systems, and
vice versa.
- Polymorphic viruses
- A self-garbling virus whose degarbling header changes each
time it spreads. These viruses are intended to be
difficult to detect, those this is rarely the
case in practice.
|
| R |
- Resident Extension
- In PC-DOS, programs
can install a part of themselves in memory, and
this part can remain active after the program has
ended. This memory resident part is called a resident
extension, since it is effectively an
extension to the operating system. Many viruses
install themselves as resident extensions, which
will then look for files to infect when those
files are accessed or executed later.
- Rogue Program
- This term has been
used in the popular press to denote any program
intended to damage programs or data, or to breach
the security of systems. As such, it encompasses
malicious Trojan Horses, logic bombs, viruses,
and so on.
|
| S |
- Self-Encrypting
Viruses
- See Self-Garbling Viruses.
- Self-Extracting Files
- A file which, when run,
decompresses part of itself into one or more new
files. It is common to store and transmit groups
of files in a self-extracting file to conserve
both disk space and transmission time. If
infected files are compressed into a
self-extracting file, anti-virus programs that
only scan files will not necessarily be able to
detect the virus. To scan such files, you must
first extract and then scan their constituent
files.
- Self-Garbling Viruses
- Some viruses attempt to hide from
virus scanning programs by keeping most of their
code garbled in some way, and changing the
garbling each time they spread. When such a virus
runs, a small header degarbles the body of the
virus and then branches to it.
- Signature
- A search pattern, often a simple
string of bytes, that is expected to be found in
every instance of a particular virus. Usually,
different viruses have different signatures.
- Stealth Viruses
- Some viruses attempt to hide from
detection programs by hiding their presence in
boot records or files. When such viruses are run,
they install a resident extension. This resident
extension intercepts various disk accesses,
determines if its own code is part of the disk
access, and removes the code before giving the
data to the calling program. The result is that
the virus can be in several places on the disk,
but normal reads of the disk will not reveal it.
- System Boot Records
- Each logical PC-DOS or OS/2 drive
(e.g. C:, D:, etc.) has a system boot record
associated with it. The system boot record
contains code that tells the system about that
logical drive and tables that contain an index to
the files on it.
|
| T |
- Time Bomb
- A logic bomb activated at a certain time or date.
- Trojan Horse
- Any program designed to do things
that the user of the program did not intend to
do. An example of this would be a program which
simulates the logon sequence for a computer and,
rather than logging the user on, simply records
the user's userid and password in a file for
later collection. Rather than logging the user on
(which the user intended), it steals the user's
password so that the Trojan Horse's designer can
log on as the user (which the user did not
intend).
- TSR
- Terminate and Stay Resident.A
PC-DOS program which installs a resident
extension (see Resident
Extension) and then
terminates.
|
| V |
- Variant
- A modified version of
a virus that is usually produced on purpose by a
virus author or by someone who modifies the
original virus. Variants may be very similar to
their parent virus, or may be fairly
different. Some are text variants, which
means that the only differences between them and
their parent virus are in internal program
comments that are never displayed, or in text
that is displayed to the screen. Some are the
result of small changes made to the original
virus, apparently to create a new virus which is
not detected by certain anti-virus programs. Some
are the result of large changes, such as
combining the spreading part of one virus
with the damage part of another.
- Virus
- A program that can infect
other programs by modifying them to include a
(possibly evolved) copy of itself. Note that a
program need not perform malicious actions to be
a virus; it need only infect other
programs. Many viruses that have been
encountered, however, do perform malicious
actions. (Note: There is no formal Latin plural
of the word virus. Hence, the preferred
plural is the English form: viruses.)
- Vx
- This term is shorthand
for Virus Exchange. It is most often applied to
electronic bulletin board systems where viruses
are made available for download (a VxBBS).
|
| W |
- Worm
- A program that makes
copies of itself elsewhere in a computing system.
These copies may be created on the same computer,
or may be sent over networks to other computers.
The first use of the term described a program
that copied itself benignly around a network,
using otherwise-unused resources on networked
machines to perform distributed computation. Some
worms are security threats, using networks to
spread themselves against the wishes of the
system owners and disrupting networks by
overloading them.
|
| Z |
- ZIP Files
- Files compressed with
the PKZIP compression program. PKZIP is a popular
compression program. Many virus scanners today,
including IBM AntiVirus, can scan inside of ZIP
files. (Also see Self-Extracting Files,.)
|