|
Virus Glossary
Affects: |
MS Access 97 or later on any operating system. |
Language: |
VBA macro language. |
Replication: |
Infects other Access database files when an infected database is opened. |
Naming: |
Anti-Virus reports these viruses with the prefix "AM97/", "A97M" and "AM". |
Top ^ |
Description: |
AppleScript is the default batch language of Macintosh Operating Systems. As such the majority of applications that are installed on Macintosh computers are scriptable by AppleScript. An AppleScript worm is a script that uses the functionality of AppleScript to spread to other computers or scripts an email application to send itself out. |
Naming: |
Anti-Virus reports these worms with the prefix "AplS/". |
Top ^ |
Description: |
A utility that has been downloaded along with a desired program, and is unwanted, such as adware or spyware. |
Replication: |
Does not replicate. |
Naming: |
Anti-Virus reports these applications with the prefix "App/". |
Top ^ |
Affects: |
Computers connected to a network with DOS, Windows 95/98/Me and Windows NT/2000 operating systems. |
Replication: |
Batch file worms spread by searching for shared areas on remote computers to which they can copy themselves. |
Naming: |
Anti-Virus reports these worms with the prefix "Bat/". |
Top ^ |
Description: |
The BIOS is the very first piece of software which runs when your computer is switched on, so it must be present for your computer to work. Without it, your PC is effectively useless.
The BIOS is stored in special chip on the motherboard which maintains its contents even when the power is switched off. This is supposed to ensure that the BIOS is always there when you need it. |
Note: |
On many computers the BIOS can be upgraded using software supplied by the BIOS manufacturer. It can also be damaged by viruses such as
W95/CIH-10xx
CIH is a virus that infects 32-bit Windows 95/98/NT executable files, but it can function only under Windows 95/98/Me. It does not function under Windows NT/2000/XP. When an infected program is run under Windows 95/98/Me, the virus becomes resident in memory.
Although Windows NT system files can be infected, the virus cannot become resident or infect files on a computer running Windows NT/2000/XP. The virus does not function under DOS, Windows 3.1, or on Macintosh computers. Once the virus is resident, CIH virus infects other files when they are accessed.
Files infected by CIH may have the same size as the original files because of CIH's unique mode of infection. The virus searches for empty, unused spaces in the file. Next it breaks itself up into smaller pieces and inserts its code into these unused spaces. When Norton AntiVirus repairs a file that is infected by CIH, it looks for these small viral pieces and removes them from the file.
Payload
W95.CIH V1.2 and V1.3 (April 26), W95.CIH V1.4 (26th of any month)
The first payload overwrites the hard disk with random data, starting at the beginning of the disk (sector 0). The overwriting of the sectors does not stop until the system has crashed. As a result, the computer will not boot from the hard disk or a floppy disk. Also, the data that has been overwritten on the hard disk will be very difficult or impossible to recover. You must restore the data from backups.
The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part of your computer that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports, and the keyboard) and tries to corrupt the data that is stored there. As a result, nothing may be displayed when you start the computer. To fix this requires the services of a computer technician.
W95.CIH.1049 has been known to infect the worm W32.Klez.gen@mm |
Top ^ |
Description: |
An email which urges the recipient to forward the email to other people. |
Examples: |
chain letters. |
Top ^ |
Description: |
The CMOS settings maintain fundamental system configuration information, which is stored in a special chip on the motherboard. This chip, usually powered by a battery, can operate independently of the rest of the computer. It keeps things like the system clock up-to-date even when the power is switched off.
The CMOS settings also record what sort of disks are installed in the PC, whether or not a password is required at start-up, and which devices (e.g. floppy, hard disk, CD-ROM or network) should be used when trying to boot up the computer. If your CMOS settings are inaccurate, then your computer may not work properly.
Some viruses and trojans, such as Troj/KillCMOS-E , deliberately corrupt these settings to try to stop your computer working. Although it is usually fairly easy to correct the CMOS settings, the procedure for doing so varies from computer to computer. You may need to refer to your computer's manual or the manufacturer's website for assistance. |
Note: |
One of the CMOS settings is called the "boot sequence". This determines whether the computer will try to boot from floppy disk or not. Because accidentally booting from a floppy can introduce boot sector viruses such as Form , we recommends changing this setting so that the computer routinely boots from the hard disk. |
Top ^ |
Affects: |
Any operating system. |
Replication: |
A companion virus will rename either itself or its target file in an attempt to trick the user into running the virus rather than another program. For example, a companion virus attacking a file named GAME.EXE may rename the target file to GAME.EX and create a copy of itself called GAME.EXE. Alternatively it may simply rename itself to GAME.COM and rely on the user running 'GAME' from a command prompt as the operating system would then run GAME.COM rather than GAME.EXE. |
Naming: |
There is no standard naming convention for this type of virus. |
Top ^ |
Affects: |
Corel SCRIPT files running under any operating system. |
Language: |
Corel SCRIPT macro language. |
Replication: |
When an infected script is run it infects other Corel SCRIPT files. |
Naming: |
Anti-Virus reports these viruses with the prefix "CSC/". |
Top ^ |
Description: |
A Dialler is a program that typically dials a premium rate phone line, normally with the intent of gaining access to pornographic material. |
Replication: |
Does not replicate. |
Naming: |
Anti-Virus reports these programs with the prefix Dial/. |
Top ^ |
Affects: |
DOS Boot Sector (aka DOS Boot Record) of hard disks and boot sector of floppy disks.
DOS Boot Sector viruses can infect any Intel-compatible PC which is configured to boot from a floppy drive.
More secure operating systems such as Windows NT can be infected but may prevent the virus from replicating. |
Language: |
Intel 80x86 Assembler. |
Replication: |
Loads into memory when an infected PC is booted and then infects any floppy disk used in the PC. A PC which boots from an infected floppy disk becomes infected. |
Naming: |
There is no standard naming convention for this type of virus. |
Top ^ |
Affects: |
DOS/Windows executable files. |
Replication: |
Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect. |
Naming: |
There is no standard naming convention for this type of virus. |
Top ^ |
Affects: |
DOS executable files. |
Replication: |
Affects DOS executables on a system by overwriting them. Traditionally spreads to other systems by means of floppy disk exchange. |
Naming: |
Anti-Virus does not report these worms with a special prefix. |
Top ^ |
Description: |
Dropped files are files that have been dropped by a virus, Trojan or worm and are detected by Anti-Virus. They include damaged versions of the original program. |
Replication: |
Does not replicate. |
Naming: |
There is no standard naming convention for this type of virus. |
Top ^ |
Description: |
A file created specifically to introduce a virus, worm or Trojan into a system. The file may be of a different type to the virus, worm or Trojan it introduces. |
Naming: |
There is no standard naming convention for this type of virus. |
Top ^ |
Affects: |
MS Excel 5 or later running on any operating system. |
Language: |
Excel formula language. |
Replication: |
When an infected document is opened the viral formula sheet is copied into a file in the XLSTART directory. This is automatically loaded into other documents when they are opened. |
Naming: |
Anti-Virus reports these viruses with the prefix "XF/" or "XF97/". |
Top ^ |
Affects: |
MS Excel 5 or later running on any operating system. |
Language: |
VBA3 macro language. |
Replication: |
When an infected document is opened the viral macros are copied into a file in the XLSTART directory. This is automatically loaded into other documents when they are opened. |
Naming: |
Anti-Virus reports these viruses with the prefix "XM/" (earlier versions used "Excel"). |
Top ^ |
Affects: |
MS Excel 97 or later running on any operating system. |
Language: |
VBA5 or later macro language. |
Replication: |
When an infected document is opened the viral macros are copied into a file in the XLSTART directory. This is automatically loaded into other documents when they are opened.
Some viruses such as XM97/Papa also use mail programs such as Outlook to automatically send infected files to names listed in the address book. |
Naming: |
Anti-Virus reports these viruses with the prefix "XM97/". Prefixes used by other anti-virus companies include "X97M". |
Top ^ |
Description: |
An incorrect report that a file is infected with a virus. |
Examples: |
View false alarms. |
Top ^ |
Affects: |
JavaScript scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer. |
Language: |
JavaScript |
Replication: |
Inserts itself inside files. |
Affects: |
JavaScript scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer. |
Language: |
JavaScript |
Replication: |
Uses IRC, Outlook or Windows networking functions to email multiple copies of infected files to other people or copy itself across the network. |
Naming: |
Anti-Virus reports these worms with the prefix "JS/". |
Top ^ |
Description: |
A computer program designed to be mistaken for a virus. Jokes do not replicate, can be safely deleted and are harmless to a computer. Their aim is to cause alarm, and waste time and resources. |
Replication: |
Does not replicate. |
Naming: |
Anti-Virus reports these files with the prefix "Joke/". |
Top ^ |
Description: |
A computer program that no longer works as a virus for a variety of reasons. Anti-Virus detects these files so that the inactive virus code can be removed. |
Naming: |
Anti-Virus reports these files with the prefix "Junk/". |
|
Affects: |
Various Linux Platform ELF (Executable and Linkable Format) files. |
Replication: |
Infects other executable files using a variety of mechanisms. |
Naming: |
Anti-Virus reports these viruses with the prefix "Linux/". |
Top ^ |
Affects: |
Computers connected to a network running Linux. |
Replication: |
Linux worms take advantage of flaws in networking code to gain unauthorised access to remote computers running Linux. Once they have gained access they will begin searching for new machines to infect and are often initially noticed by increased network traffic. They can spread rapidly between computers permanently connected to the internet because they require no user intervention to function. |
Naming: |
Anti-Virus reports these worms with the prefix "Linux/". Prefixes used by other anti-virus vendors include "Unix". |
Top ^ |
Affects: |
Macintosh computers. |
Replication: |
Infects other Macintosh files by a variety of mechanisms. |
Naming: |
Anti-Virus reports these viruses with the prefix "Mac/". |
Top ^ |
Affects: |
Power Macintosh computers. |
Replication: |
Uses the QuickTime AutoPlay feature to copy itself from and to infected diskettes when they are inserted. |
Naming: |
Anti-Virus reports these worms with the prefix "Mac/". |
Top ^ |
Affects: |
Macromedia Flash files associated with the Flash 5 player. |
Replication: |
Typically the virus replicates itself by copying itself to the script at the start of the Flash file. |
Top ^ |
Affects: |
MapInfo. |
Language: |
MapBasic. |
Replication: |
Infects the MapInfo application so as to infect other MapInfo Map files. |
Naming: |
Anti-Virus reports these viruses with the prefix "MPB/". |
Top ^ |
Affects: |
Master Boot Sector (aka Master Boot Record) of hard disks and boot sector of floppy disks.
Master Boot Sector viruses can infect any Intel-compatible PC which is configured to boot from a floppy disk drive.
More secure operating systems such as Windows NT can be infected but may prevent the virus from replicating. |
Language: |
Intel 80x86 Assembler. |
Replication: |
Loads into memory when an infected PC is booted and then infects any floppy disk used in the PC. A PC which boots from an infected floppy disk becomes infected.
If the BIOS settings are changed to prevent the PC booting from the floppy drive then the PC cannot become infected. |
Naming: |
There is no standard naming convention for this type of virus. |
Affects: |
All file types. |
Description: |
This prefix is used to denote viruses that infect in the middle of a file rather than at the traditional entry point. Some viruses are reported with this prefix if they are detected at the email gateway and with a different prefix at the desktop. |
Naming: |
Anti-Virus reports these viruses with the prefix "Mid/". |
Top ^ |
Affects: |
Systems running IRC. |
Language: |
IRC Script. |
Replication: |
These are executable files which modify SCRIPT.INI file to make IRC distribute copies of themselves. |
Naming: |
Anti-Virus reports these worms with the prefix "mIRC/" or "pIRC/". |
Top ^ |
Description: |
A problem which is often erroneously attributed to computer viruses. |
Examples: |
View misunderstandings. |
Top ^ |
Affects: |
MS Office 97 (or later) running on any operating system. |
Language: |
VBA5 or later macro language. |
Replication: |
Infects two or more different Office components. Most of them infect Word and Excel but PowerPoint and Project files can also be affected. |
Naming: |
Anti-Virus reports these viruses with the prefix "OF97/". |
Top ^ |
Affects: |
PalmOS Palm resource (PRC) files. |
Replication: |
All known viruses actively search for other Palm resource files to infect. |
Naming: |
Anti-Virus reports these viruses with the prefix "Palm/". |
Top ^ |
Affects: |
MS PowerPoint 97 (or later) running on any operating system. |
Language: |
VBA5 or later macro language. |
Replication: |
The virus runs when some action occurs and infects other PowerPoint files or the main template (Blank Presentation.pot). New presentations created from an infected template will themselves be infected. |
Naming: |
Anti-Virus reports these viruses with the prefix "PM97/" and "PP97M". |
Top ^ |
Affects: |
Computers with Windows 95/98/Me and Windows NT/2000/XP operating systems. |
Description: |
Registry viruses attempt to modify the contents of the registry. |
Replication: |
Infects by a variety of mechanisms. |
Naming: |
Anti-Virus reports these viruses with the prefix "REG/". |
Top ^ |
Description: |
A fraudulent business scheme or swindle. |
Examples: |
scams. |
Top ^ |
Description: |
A warning about a possible threat which has been greatly exaggerated. |
Examples: |
scares. |
Top ^ |
Description: |
Spyware is software, usually installed without the user's consent, that gathers information secretly about a computer user and relays that information, also covertly, to someone else. It can infiltrate a computer as a software virus or be hidden within a program. Spyware can monitor keystrokes, gather email addresses, and capture passwords and credit card numbers. |
Naming: |
Anti-Virus reports malicious spyware with the prefix "Troj/". |
Top ^ |
Affects: |
Devices running Symbian OS. |
Replication: |
Infects other Symbian devices using bluetooth. |
Naming: |
Anti-Virus reports these worms with the prefix "Symb/". |
Top ^ |
Description: |
A file that is non-viral but causes anti-virus software to react to it, as if it were a virus. Test files are used primarily as a way for network administrators to check that their anti-virus software has been correctly deployed. makes the EICAR test file (EICAR stands for European Institute for Computer Anti-virus Research) available to its customers for this purpose. |
Replication: |
Does not replicate. |
Top ^ |
Description: |
A seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Trojans are sometimes used in conjunction with viruses. A backdoor Trojan is a program that allows other computer users to gain access to your computer across the internet. |
Replication: |
Do not replicate. |
Naming: |
Anti-Virus reports these viruses with the prefix "Troj/". |
Top ^ |
Affects: |
Computers connected to a network running Unix. |
Replication: |
Unix worms take advantage of flaws in networking code called buffer overflows to gain unauthorised access to remote computers running Unix. Once they have gained access they will begin searching for new machines to infect. They can spread rapidly between computers permanently connected to the internet because they require no user intervention to function. |
Naming: |
Anti-Virus reports these worms with the prefix "Unix/". |
Top ^ |
Description: |
A computer program that copies itself. Often viruses will disrupt computer systems or damage the data contained upon them. A virus requires a host program and will not infect a computer until it has been run. Some viruses spread across networks by making copies of themselves or may forward themselves via email. The term 'virus' is often used generically to refer to both viruses and worms. |
Top ^ |
Description: |
A warning about a non-existent virus. Usually urge users to forward them to everyone they know. |
Examples: |
hoaxes. |
Top ^ |
Affects: |
Visual Basic scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer. |
Language: |
Visual Basic Script. |
Replication: |
Infects other executable files by a variety of mechanisms. Some viruses such as VBS/Dismissed-B use Outlook to distribute infected files by email. |
Naming: |
Anti-Virus reports these viruses with the prefix "VBS/". |
Top ^ |
Affects: |
Visual Basic scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer. |
Language: |
Visual Basic Script. |
Replication: |
Uses IRC or Outlook to email multiple copies of infected files to other people. |
Naming: |
Anti-Virus reports these worms with the prefix "VBS/". |
Top ^ |
Affects: |
MS Windows 3.0 and 3.1 |
Replication: |
Infects other executable files by a variety of mechanisms. |
Naming: |
Anti-Virus reports these viruses with the prefix "Win/". |
Top ^ |
Affects: |
MS Windows 95/98/Me, NT or 2000 PE (Portable Executable) files. |
Replication: |
Infects other executable files by a variety of mechanisms.
Some viruses such as W32/ExploreZip also use Outlook or other programs to distribute infected files by email. |
Naming: |
Anti-Virus reports these viruses with the prefix "W32/" |
Top ^ |
Affects: |
Computers connected to a network running Windows 95/98/Me and Windows NT/2000 operating systems. |
Replication: |
Win32 worms spread using Windows networking APIs, MAPI functions or email clients such as Microsoft Outlook. They may create email messages with the worm program attached or attach themselves to outgoing email messages. A message created by a worm often suggests that the recipient should launch the attachment to see something interesting or important. |
Naming: |
Anti-Virus reports these worms with the prefix "W32/" and "Win32". |
Top ^ |
Affects: |
MS Windows 95/98/Me PE (Portable Executable) files. |
Replication: |
Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect.
Some viruses such as W95/Babylonia also distribute infected files by email. |
Naming: |
Anti-Virus reports these viruses with the prefix "W95/" |
Top ^ |
Affects: |
MS Windows 98 PE (Portable Executable) files. |
Replication: |
Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect. |
Naming: |
Anti-Virus reports these viruses with the prefix "W98/" |
Affects: |
MS Windows NT or 2000 PE (Portable Executable) files. |
Replication: |
Infects other executable files using a variety of mechanisms. |
Naming: |
Anti-Virus reports these viruses with the prefix "WNT/" |
Top ^ |
Affects: |
MS Windows 2000 PE (Portable Executable) files. |
Replication: |
Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect. |
Naming: |
Anti-Virus reports these viruses with the prefix "W2K/". |
Top ^ |
Affects: |
Any version of MS Word running on any operating system. |
Language: |
Word Basic macro language (used in Word 6 and 95). |
Replication: |
When an infected document is opened the viral macros are copied to the global template (usually NORMAL.DOT). Other documents automatically load the viral macros from this file when they are opened. |
Naming: |
Anti-Virus reports these viruses with the prefix "WM/" (earlier versions used "Winword"). |
Top ^ |
Affects: |
MS Word 97 or later running on any operating system. |
Language: |
VBA5 or later macro language. |
Description: |
Word 97 macro Trojans are documents which, when opened, have undesirable effects on the system such as deleting files or compromising system security. |
Replication: |
Does not replicate. |
Naming: |
Anti-Virus reports these viruses with the prefix "WM97/" and "W97M". |
Top ^ |
Affects: |
MS Word 97 or later running on any operating system. |
Language: |
VBA5 or later macro language. |
Replication: |
Some of these viruses copy the viral macros into the global template (usually NORMAL.DOT) in the same way as Word macro viruses. This method of transmission does not work with MS Office 97 SR1 or later.
Most of the recent viruses copy the viral macros into another file and modify the global template to import them when another document is opened. |
Naming: |
Anti-Virus reports these viruses with the prefix "WM97/" and "W97M". |
Top ^ |
Affects: |
MS Word 97 or later running on any operating system. |
Language: |
VBA5 or later macro language. |
Replication: |
Uses mail programs such as MS Outlook to automatically send infected files to names listed in the address book. Many of these worms also replicate is the same way as Word 97 macro viruses. |
Naming: |
Anti-Virus reports these worms with the prefix "WM97/" and "W97M". |
|
Top ^ |
Description: |
A type of virus that does not need a host program. It has the ability to self-replicate and often will use email and the internet to
spread. |
|
Affects: |
MS Word 2001 on Apple computers. |
Language: |
VBA6 or later macro language. |
Replication: |
Some of these viruses copy the viral macros into the global template (usually NORMAL.DOT) in the same way as Word macro viruses. The majority of these viruses are upconverts of existing Word 97 viruses. Most payloads are however Intel specific and do not work. |
Naming: |
Anti-Virus reports these viruses with the prefix "WM97/" and "W97M". |
Top ^ |
Affects: |
Computers with Windows 95/98/Me and Windows NT/2000/XP operating systems. |
Description: |
Windows Scripting Host is the framework under which JavaScript, Visual Basic Script and ActiveX components execute. A virus, worm or Trojan may use multiple components within this framework. |
Replication: |
Infects by a variety of mechanisms. |
Naming: |
If a virus, worm or Trojan uses multiple components within the Windows Scripting Host framework Anti-Virus reports them with the prefix "WSH/". |
|
Top ^
* Recommended: 1024 x 768 screen resolution
|
