Real-Time Virus Reports World-Wide:
   Glossary of Virus Terms:

ActiveX malicious code
ActiveX controls allow Web developers to create interactive, dynamic Web pages with broader functionality such as HouseCall, Trend Micro's free on-line scanner. An ActiveX control is a component object embedded in a Web page which runs automatically when the page is viewed. In many cases, the Web browser can be configured so that these ActiveX controls do not execute by changing the browser's security settings to "high." However, hackers, virus writers, and others who wish to cause mischief or worse may use ActiveX malicious code as a vehicle to attack the system. To remove malicious ActiveX controls, you just need to delete them.

Aliases
There is no commonly accepted industry standard for naming viruses and malicious mobile code. Each may be known by several different names or aliases. See  for an explanation of Trend Micro virus-naming conventions.

Backdoor
 A Backdoor is a program that opens secret access to systems, and is often used to bypass system security. A Backdoor program does not infect other host files, but nearly all Backdoor programs make registry modifications. For detailed removal instructions please view the virus description. See virus types for an explanation of Trend Micro virus-naming conventions.

Boot sector viruses
Boot sector viruses infect the boot sector or partition table of a disk. Computer systems are most likely to be attacked by boot sector viruses when you boot the system with an infected disk from the floppy drive - the boot attempt does not have to be successful for the virus to infect the hard drive. Also, there are a few viruses that can infect the boot sector from executable programs- these are known as multi-partite viruses and they are relatively rare. Once the system is infected, the boot sector virus will attempt to infect every disk that is accessed by that computer. In general, boot sector viruses can be successfully removed.

Date of origin
Indicates when a virus was first discovered (if known).

Description
This is a brief summary of a virus listed in the Trend Virus Encyclopedia. For detailed technical information, click on the "Tech Details" tab.

Destructive viruses
In addition to self-replication, computer viruses may have a routine that can deliver the virus payload. A virus is defined as destructive if its payload does some damage to your system, such as corrupting or deleting files, formatting your hard drive, and committing denial-of-service attacks etc.

ELF
ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables. Trend products detect malicious code for Linux/UNIX as "ELF_Virusname."

Encrypted viruses
Indicates that the virus code contains a special routine that encrypts the virus body to evade detection by antivirus software. Trend Micro’s antivirus products have the ability to decrypt the virus body and detect such viruses.

File infecting viruses
File infecting viruses infect executable programs (generally, files that have extensions of .com or .exe). Most such viruses simply try to replicate and spread by infecting other host programs - but some inadvertently destroy the program they infect by overwriting some of the original code. There is a minority of these viruses that are very destructive and attempt to format the hard drive at a pre-determined time or perform some other malicious action. In many cases, a file-infecting virus can be successfully removed from the infected file.  If the virus has overwritten part of the program's code, the original file will be unrecoverable.

In-the-Wild virus list
The In-the-Wild virus list is a list of the most common viruses that have been found infecting users’ computers worldwide. The list is compiled by the renowned antivirus researcher Joe Wells. Wells updates the list regularly, working closely with antivirus research teams around the world, including Trend Micro’s. When ICSA (International Computer Security Association) conducts virus testing of antivirus products, the In-the-Wild virus list serves as the basis for its comparative analysis. More info: http://www.wildlist.org

Java malicious code
Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. Java applets are small, portable Java programs embedded in HTML pages. They can run automatically when the pages are viewed. However, hackers, virus writers, and others who wish to cause mischief may use Java malicious code as a vehicle to attack the system. In many cases, the Web browser can be configured so that these applets do not execute by changing the browser's security settings to "high."

Joke programs
Joke programs are ordinary executable programs. They are added to the detection list because they are found to be very annoying and/or they contain pornographic images. Joke programs cannot spread unless someone deliberately distributes them. To get rid of a Joke program, delete the file from your system.

Language
This refers to the language locale of the virus working platform such as MS Word in English or Chinese.

Malware
Malware is a general term used to refer to any unexpected or malicious programs or mobile codes such as viruses, Trojan, worm, or Joke programs.

Macro virus
Macro viruses are viruses that use another application's macro programming language to distribute themselves. They infect documents such as MS Word or MS Excel.  Unlike other viruses, macro viruses do not infect programs or boot sectors - although a few do drop programs on the user's hard drive. The dropped files may infect executable programs or boot sectors. Macro viruses can be removed safely from the infected document using Trend Micro’s antivirus products.

Special note: Occasionally, you may get an "illegal operation" error when you try to start MS Word after cleaning a Word macro virus. If this happens, search for the file "normal.dot" and rename it to "normaldot.bak." MS Word will generate a new, clean "normal.dot" the next time it is started. This problem occurs because some viruses can leave harmless code residue that MS Word may be reading incorrectly, causing erratic behavior. Trend antivirus software only removes malicious viral code and not user-created macros.

NE
NE refers to New Executable, which is the standard Windows 16-bit executable file format. Windows 16-bit viruses are detected by Trend products as "NE_Virusname."

Password
Some viruses set a password when they infect a document. The main objective of the virus here is to make the document inaccessible. This password can be a word, phrase, or even a randomly generated number.

Payload
A virus’ payload is an action it performs on the infected computer. This can be something relatively harmless like showing messages or ejecting the CD drive, or something destructive like deleting the entire hard drive.

PE
PE refers to Portable Executable, which is the standard Win32 executable file format. Windows 32-bit viruses are detected by Trend products as "PE_Virusname."

Place of origin
Indicates where a virus is believed to have originated (if known).

Platform
Indicates the computer operating system or application on which a virus can run and perform an infection. Generally, a particular operating system is required for executable viruses and a specific application is needed for macro viruses.

Proof of Concept
A proof of concept virus or Trojan indicates that something is new or that it has never seen before. For example, VBS_Bubbleboy was a proof of concept worm, as it was the first email worm to automatically execute without requiring a user to double-click on an attachment. Most proof of concept viruses are never seen in-the-wild. However, virus writers will often take the idea (and code) from a proof of concept virus and implement it in future viruses.

Rate of infection
This table displays the relative rate of infection in each region. While the "number of computers infected" table reflects the larger numbers of Internet users in North America, Asia and Europe, the "rate of infection" is useful as an estimate of how quickly a virus is spreading in each region. An infection rate of 5%, for example, means that approximately 5 out of 100 computers are infected.

Size of macro/malicious code/virus
Indicates the size of the virus code in bytes. This number is sometimes used as part of the virus name to distinguish it from its variants.

Script viruses(VBScript, JavaScript, HTML)
Script viruses are written in script programming languages, such as VBScript and JavaScript. VBScript (Visual Basic Script) and JavaScript viruses make use of Microsoft's Windows Scripting Host to activate themselves and infect other files. Since Windows Scripting Host is available on Windows 98 and Windows 2000, the viruses can be activated simply by double-clicking the *.vbs or *.js file from Windows Explorer.

HTML viruses use the scripts embedded in HTML files to do their damage. These embedded scripts automatically execute the moment the HTML page is viewed from a script-enabled browser.

Trigger condition or date
This is to indicate the condition or date on which the virus’ payload will be triggered. Please note that date-activated viruses may infect your computer 365 days a year. Your computer may be infected by these viruses prior to the date specified.

Trojan
A Trojan horse is a program that performs some unexpected or unauthorized, usually malicious, actions such as displaying messages, erasing files or formatting a disk. A Trojan horse doesn’t infect other host files, thus cleaning is not necessary. To get rid of a Trojan, simply delete the program.

Virus types
Viruses and other malware are classified into various types depending on their file formats and infection routines. To distinguish among these types, Trend Micro uses the following prefixes:

Worm
A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. To get rid of a worm you just need to delete the program.

 
copyright © 2003-2004 r.lee heath. all rights reserved. pat.pend.