- Access Control
- A variety of different methods to prevent unauthorized
programs from being installed on a
computer, unauthorized disks from being accessed, or unauthorized personnel from using the
computer. Access control procedures therefore seek to limit the physical entree the virus
has at
getting onto the computer. UNIX systems have got a very secure "access control"
for there
administrators, so that limit the possibility of an virus infection tremendously.
- Activation
- Viruses that have damage routines will activate when certain
conditions are met, for example, on a certain date or when a particular action is taken by
the user. Viruses without damage routines don’t activate, instead causing damage by
stealing storage space. (see Discovery)
-
- ActiveX
- It makes a web pages interactive and more functional.
Essentially a slimmed down version of OLE, ActiveX provides developers a way to download
small executable objects that can be invoked directly on the users machine. ActiveX also
allow rapid development of applications based on "reusable parts". OCXs are
fully executable pieces of Windows code that have no restrictions placed on them once they
reach the client machine, regardless of how they got there. ActiveX controls can also have
code parts that work like a Trojan Horse. So it could be
dangerous to if you donīt know itīs origin and certification.
-
- Alias
- A different name by which a virus is known.
-
- Armored Virus
- An armored virus is one that uses special tricks to make
tracing, disassembling and understanding of its code more difficult.
- Assimilation
- At this point, anti-virus developers modify their software so
that it can detect the new virus. This can take anywhere from one day to six months,
depending on the developer and the virus type.
(see Eradication)
- Background Scanning
- Automatic scanning of files and documents as they are created,
opened, closed, or executed.
-
- Behavior Blocking
- A set of procedures that are tuned to detect virus-like
behavior, and prevent that behavior when it occurs. Some behaviors that should normally be
blocked in a machine include formatting tracks, writing to the master boot record or boot
record, and writing directly to sectors.
-
- BIOS
- Basic Input Output System
-
- Boot Record
- The program recorded in the Boot Sector. All floppies have a
boot record, whether or not the disk is actually bootable. Whenever you start or reset
your computer with a disk in the A: drive, DOS reads the boot record from that diskette.
If a boot virus has infected the floppy, the computer first reads the virus code in, then
jumps to whatever sector the virus tells the drive to read, where the virus has stored the
original boot record.
- Boot Sector
- The first logical sector of a drive. On a floppy disk, this is
located on side 0, cylinder 0, sector 1. On a hard disk, it is the first sector of a
logical drive, such as C: or D:. This sector contains the Boot Record, which is created by
format. All drives that has been formatted contains a boot sector.
- Boot Sector Infector
- When the computer is powering up looking for the Boot
information and reads an infected disk in the A: drive the virus is transfer to the
computers hard drive. Once the boot code on the drive is infected the virus will be loaded
into memory on every startup. From memory the boot virus can infect every disk. Boot
virus's could be on a system for a long time without causing problems. Most Boot virusīs
will destroy the boot information or the hole hard drive.
- BSI
- Boot Sector Infector
(= BSV - Boot Sector Virus)
- Bug
- An unintentional fault in a program.
- CARO
- Computer Anti-Virus Researchers Organisation.
-
- Cavity Virus
- A cavity virus is one which overwrites a part of the host file
that is filled with a constant, without increasing the length of the file, but preserving
its functionality.
-
- Clean
- Free from viruses.
-
- Checksummer
- A program which looks for changes to executable files; it does
this by calculating "fingerprints" for executable files on the hard disk and
checking subsequently to see if this fingerprint changes. Integrity Master is such a
checksummer. (see Integrity Checker)
-
- CMOS
- Complementary Metal Oxide Semiconductor: Memory used to store
hardware configuration information.
- Creation
- A few years ago, creating a virus required knowledge of a
computer programming language like
assembler or C. Today anyone with even a little programming knowledge can create a
virus. Usually, though, viruses are created by misguided individuals who wish to cause
widespread, random damage to computers. (see Gestation)
- Cold Boot
- The process of starting-up a computer from a floppy disk, so
that no other programs can load into memory besides those directed by the boot software
contained on the floppy. Because viruses must go resident in order to damage, and some
viruses are particularly good at "stealthing" themselves while in memory, many
experts believe a cold boot, followed by a scan, is the only way to make certain a
computer is virus-free.
- Detecting Boot Viruses
- The best way to determine if you have a virus is to scan with
an antivirus program or an checksum checker.There are several shareware and commercial
scanners
available.
-
- Disassemble
- The process anti-virus researchers employ to unravel a virus
into a recognizable set of patterns,
typically so that detection capability of those patterns can be built into a scanner.
-
- Discovery
- This phase doesn’t always come after activation, but it
usually does. When a virus is detected and isolated, it is sent to the International
Computer Security Association in Washington, D.C., to be documented and distributed to
anti-virus developers. Discovery normally takes place at least a year before the virus
might have become a threat to the computing community.
(see Assimilation)
-
- Dropper
- A dropper is a program that has been designed or modified to
"install" a virus onto the target system. The virus code is usually contained in
a dropper in such a way that it won't be detected by virus scanners that normally detect
that virus. While quite uncommon, a few droppers have been discovered. A dropper is
effectively a Trojan Horse whose payload is
installing a virus
infection. A dropper which installs a virus only in memory is sometimes called an
"injector".
-
- EICAR
- European Institute of Computer Anti-Virus Research.
- Encryption
- Technique of hiding by transformation. Virus code converts
itself into cryptic symbols. However, in order to launch (execute) and spread the virus
must decrypt and can then be detected.
- Encrypted Virus
- A virus whose code begins with a decryption algorithm, and
continues with the scrambled or encrypted code of the remainder of the virus.
- Eradication
- If enough users install up-to-date virus protection software,
any virus can be wiped out. So far no viruses have disappeared completely, but some have
long ceased to be a major threat.
(see Life
Cycle)
- False
Positive, False Negative
- When an antivirus program incorrectly reports a virus in
memory or infecting a file. Scanners in
heuristic mode and integrity checkers are, by definition, somewhat more prone to these.
Essentially, a virus undetected by an antivirus program.
-
- Fast Infector
- Fast infector is a virus that, when it is active in memory,
infects not only programs which are executed, but even those that are merely opened. The
result is that if such a virus is in memory, running a scanner or integrity checker can
result in all programs becoming infected.
-
- Finger Print
- A unique numberic identifier for a file; used by checksummers
to check for changes in executable files. Also known as a checksum.
-
- GDE
- Generic Decryption Engine. An element of FindVirus which
enables it to identify even the most
complex polymorphic encrypted viruses.
-
- Gestation
- After the virus is created, the virus writer copies it and
makes sure that it spreads. Usually, this is done by infecting a popular program and
placing it on a BBS or distributing copies through offices, schools, and other large
organizations. (see Replication)
- Heuristic Analysis
- Analysing the instructions contained within a program or macro
to determine if the program is
likely to be a virus.
- Heuristic Scanner
- An element of FindVirus which checks files for suspicious code
which may indicate a new virus.
- ICSA
- International Computer Security Association, formerly known as
NCSA.
- In the Wild
- A virus is referred to as "in the wild" if is has
been verified by groups that track virus infections to have caused an infection outside a
laboratorysituation. A virus that has never been seen in a real world situation is not in
the wild, and sometimes referred to as "in the zoo".
- Injector
- (see Dropper).
- Integrity Checker
- A program that determines whether another program has been
altered and changed. For a virus
infection to occur, executable code needs to have been altered by the virus. An integrity
checker searches for such changes and flags them as suspicious. (see Checksummer)
- Joke Program
- Practical joke programs. These are not viruses, but sometimes
a virus is contained in a joke
program. The Toolkit detects joke programs.
- Life Cycle
- Computer viruses have a "life cycle" that starts
when they’re created and ends when they’re completely eradicated. (see Creation)
- Macro Virus
- Macro Virus which consists of instructions in Word Basic or
other macro language, and resides in documents. While we do not think of documents has
capable of being infected, any application which supports macros that automatically
execute is a potential platform for macro viruses. (see Virus)
-
-
- Master Boot Record
- The 340-byte program located in the Master Boot Sector. This
program begins the boot process. It reads the partition table, determines what partition
will be booted from (normally C:), and transfers control to the program stored in the
first sector of that partition, which is the Boot Sector. The Master Boot
Record is often called the MBR, and often called the "master boot sector" or
"Partition Sector".
-
- Multipartite Virus
- Both program and boot infector. Removal of multipartite
virsues requires cleaning both boot sectors and infected files. Before you attempt the
repair, you must have a clean, write-protected boot disk that can boot your system from A:
and allow you to access your hard drive.
- Not in the wild
- Viruses which are not 'in the wild' are those which have been
seen, but which fail to spread
successfully; often this is because they are so noticeable to users.
- On-access Scanner
- A background scanner, which scans disks and files
automatically, as they are accessed by the user.
- On-demand Scanner
- A program which scans for viruses at a time specified by the
user; this may be done either by
specifically running the program or by using the Scheduler to define a time for scan to
take
place. An on-demand scanner does not remain in memory.
- Polymorphic
- Ability to mutate by changing code segments to look different
from one infection to another. This type of virus is a challenge for ant-virus detection
methods.
-
- Programs Infector:
- When an infected application is run the virus activates and is
loaded into memory. While the virus is in memory any program file subsequently run becomes
infected. Multiple infections are very common and will certainly cause system problems.
Program files may function without any
problems for some time but eventualy programs have problems or multiple infection brings
the sytem down. The data the program produces may be a first sign of infection such as
saving files without proper DOS names.
- RAM
- Random Access Memory: the place programs are loaded into in
order to execute; the significance for viruses is that, to be active, they must grab some
of this for themselves. However, some virus scanners may declare that a virus is active
simply when it is found in RAM, even though it might be simply left over in a buffer area
of RAM rather than truly being active.
-
- Remove
- To remove or clean a virus means to eliminate all traces of
it, returning the infected item to its original, uninfected state. Viruses can be removed
by reversing the process by which they infected. A virus that damages the item it has
infected by destroying one or more bytes is not removable.
-
- Replication
- Viruses replicate by nature. A well-designed virus will
replicate for a long time before it activates, which allows it plenty of time to spread.
(see Activation)
-
- Resident
- Loads much like a TSR staying in memory where it can easily
replicate itself into programs of boot sectors. All boot viruses are resident viruses, as
are the most common file viruses. Macro viruses are non-resident viruses.
-
- Scanner
- A virus detection program that searches for viruses.
-
- Slow Infector
- The term "slow infector" is sometimes used to refer
to a virus that only infect files as they are modified or as they are created. The purpose
is to fool people who use integrity checkers into thinking that modifications reported by
their integrity checker are due solely to legitimate reasons.
-
- Sparse Infector
- The term "sparse infector" is sometimes used to
describe a virus that infects only occasionally, or only files whose lengths fall within a
narrow range, etc. By infecting less often, such viruses try to minimize the probability
of being discovered.
-
- Stealth virus
- The ability to hide from detection and repair manifests in two
ways.
1.Full - Virus redirects disk reads to avoid detection.
2.Size - Disk directory data is altered to hide the additional bytes of the virus.
-
-
- Top of Memory
- The memory just below 640 Kb. Some stealth file viruses load
into memory up here, in hopes that they will not be seen by memory-snooping programs and
won't be overwritten when other programs load. The alternative to loading at the Top of
Memory is to allocate memory. When a virus allocates memory, it loads in the first
available "hole" near the bottom of 640 Kb.
-
- Triggered Event
- An action built into a virus that is set off by the date, a
particular keyboard action or DOS function. It could be as simple as a message printed to
the screen or serious as in reformatting the hard drive or deleting files.
-
- Trojan Horse
- Trojan is a program that does something undocumented that the
programmer intended, but that some users would not approve of if they knew about it.
According to some people, a virus is a particular case of a Trojan, namely one which is
able to spread to other programs. According to others, a virus that does not do any
deliberate damage is not a Trojan. Finally, despite the
definitions, many people use the term "Trojan" to refer only to
*non-replicating* malware, so that the set of Trojans and the set of viruses are disjoint.
-
- TSR
- Terminate but Stay Resident - A memory-resident DOS program,
which remains in memory while other programs are running. A good TSR shouldat least detect
all known in-the-wild viruses and a good percentage of other known viruses. Generally,
TSRs are not so good with polymorphic viruses, and should not be relied on exclusively.
-
- Variant
- A variation of a virus, usually caused by amending the code of
an existing virus.
-
- Virus
- A virus is a piece of software designed and written to make
additional copies of itself and spread from location to location, typically without user
knowledge or permission. Such stealth qualities are now found in both viruses infecting
files and those infecting boot areas.
-
- There are computer viruses that were written for several
operating systems like DOS, Windows, Amiga, Mac, Atari, and UNIX.
-
- Macro viruses are a new class of viruses that do not infect
boot areas or files with the .EXE or .COM extensions. Instead, they infect documents; when
Word loads the document, it executes any "autoexecute" macro in the file. (see Macro Virus)
-
- Some viruses cause damage, but not all do. More than 20,000
have been identified, and 250 new ones are created every month, according to the
International Computer Security Association. With numbers like those, it’s safe to
say that most organizations will deal regularly with virus outbreaks. No one who uses
computers is immune from viruses.You will find more information in the Virus FAQ.
- VxD
- A Windows program which can run in the background. A scanner
implemented as a VxD has all the advantages of a DOS TSR, but can have additional
advantages: for instance, a good VxD will scan continuously.
- Worm
- Similar to a virus in that it makes copies of itself, but
differ in that it need not attach to particular files or sectors at all. Once a worm is
executed, it seeks other systems - rather than parts of systems - to infect, then copies
its code to them.
-
-
- Zoo
- suite of viruses used for testing.
-
- Zoo virus
- A virus which is rarely reported anywhere in the world, but
which exists in the collections of researchers. A zoo virus has some "escaping"
virus collections, and infecting user machines. Its prevalence could increase to the point
that it was considered "in the wild".
|
