Glossary
A
Aliases. Different anti-virus companies give, as a rule, different names to one and the same virus proceeding from their own rules of a virus name formation.
In most cases the main virus name (for example Klez, Badtrans, Nimda) is identical and is present within the virus name regardless what anti-virus company has given it.
In general only prefixes and suffixes to this name differ and the rules of their usage can be different in different companies. For example, according to virus classification of Doctor Web, Ltd. versions of one and the same virus are numbered starting from 1. Symantec for this purpose uses capital letters of the English Alphabet.
Anti-antivirus Virus (Retrovirus) — a computer virus program which hits anti-virus programs.
Anti-virus Virus a computer virus program which hits other computer viruses.
Anti-virus program a computer program capable of searching, diagnostics (detecting the infected files and the types of viruses), preventing and disinfecting (deletes a virus and restores the damaged files) of the infected with a computer virus files.
In the process of search and diagnostics an anti-virus program detects the infected files and the virus type.
Prevention measures help to avert infection.
In the process of disinfecting the virus is deleted and the damaged files are recovered.
Anti-virus scanner a computer program capable of detecting a viral code in the virus infected files with the help of the virus database known to such anti-virus program or a priori assumption of such virus code structure.
Scanners, from time to time, (for example, on the user's request) check certain objects (disks, folders and files as well as main memory and boot sectors) in order to detect the presence of the virus signature.
Applet a Java language class embedded into the document created in HTML language in the form of an executable module .
Applet is downloaded from server to the user's computer as an attached file. Applets are used, for example, for interactive dialogue with users at Web-pages.
Archive file - a result of files compression by archivator.
B
Back-door a computer program which allows an authorised system access or receipt of a privileged function (working mode). Back-doors are often used to compromise the system`s security settings. They do not infect files but modify registry keys.
Background - a task executed by a system imperceptibly for a user. Such tasks acquire lower priority.
Some malicious programs act in the background performing its actions in invisible for a user mode
Batch file - an executable file containing operating system instructions. It usually has a .bat extension and is designed as a text file, every line of which is an operating system command.
It is executed by a command processor.
Boot virus size. Boot virus head size means a virus body length placed to a boot sector of a diskette or MBR.
Boot virus tail size means a virus body length placed into an empty space of a diskette or a hard disk (such sectors are marked as error sectors).
Bug - any incidental program error both syntactic and semantic.
C
Computer viruses. These are programs or fragments of a program code which, having infected a system can, despite a user's will perform different actions.
They can create or delete objects, modify data files or program files, self-propagate in local drives and computer networks or via Internet. The modification of program files, data files or boot sectors is made in such a way that they themselves become code carriers and can, in its turn, perform the aforesaid actions called infection. These are peculiar features of a computer virus.
Depending upon the infected objects types there are different types of viruses.
D
Daemon — a program performing service functions without a user's request and even invisible for him
Damage. Having hit a computer viruses can perform the following malicious actions.
- Denial of some functions performance during a system work. Errors and malfunction, system hang-up immediately after its reboot.
- Perform actions not determined by a program.
- Destroy files, disks (format disks , delete files).
- Display annoying false message on the computer screen.
- Create audio and video effects (falling-down letters, melody tuning and so on).
- Block access to system resources (increase in size of the infected files because of their multiple infecting, computer work slow-down etc).
One should remember that slight, invisible data files changes present more danger than catastrophic damage incurred to a hard disk or a diskette.
Date and time added to Dr.Web virus database. This means the date and time of an add-on to Dr.Web virus database in which determination of a corresponding virus is given and means of its neutralizing (deletion, disinfecting and so on.) are included. From the time the virus is included into the virus database an anti-virus program can detect the virus and, therefore, neutralize it.
This does not mean that the virus not included into virus database add-on can not be detected by an anti-virus program. Very often a newly appeared virus and by far unprocessed in Anti-virus laboratory of Igor Daniloff is detected by Dr.Web heuristic.
Destructiveness — a virus strategy and its malicious actions, sometimes invisible for a user, aimed at a normal OS functioning damage and even its complete crash as well as conditions under which a virus reveals itself and algorithm of its functioning in a system.
Dropper - a file-carrier which installs a virus into a system. This technique is used sometimes by virus authors to hide the actual virus from its detection by anti-virus programs.
E
Encrypted viruses these are viruses self-encrypting their virus code in order to make more difficult their disassembling and detection in a file, sector or memory. Each and every copy of such virus contains only a short common set of characters - a decrypting procedure which can be considered as the virus signature.
In case of every infection it automatically encrypts itself and every time the procedure is different. This is the way the virus tries to avoid its detection by anti-virus programs.
Executable file a file ready for processing by the operating system. For example, in MS-DOS executable files have extensions .exe, .com and .bat.
Files with extension .exe, and .com are programs.
Files with extension .bat are batch files.
F
File Allocation Table (FAT) - a table designed for a dynamic allocation of a hard drive where cluster is a unit of the memory allotted.
File virus size - actual size of a viral code in bytes which is present in each and every file infected with a certain virus.
G
Guard - a memory resident program controlling operating system sections potentially open for infection with viruses. It comes into action in the moment of the virus intrusion.
The guard detects and blocks attempts of the files infection. In doing this it also detects programs, possibly infected with some virus, which try to perform suspicious actions .
Anti-virus SpiDerGuard is deeply integrated with Dr.Web anti-virus scanner: suspicious programs can be checked "лету" in passing using the whole package of the virus database and its scanning algorithm.
And even more, known for sure infected files can be immediately disinfected.
H
Heuristic. An anti-virus program component. Detects new and unknown before viruses. Heuristic analyzes both files and boot sectors. At heuristic analysis a verification of an executable code of the object examined is carried out and an attempt to detect a presence of characteristic for a virus functions is made.
If heuristic finds suspicious code a message stating a possibility of the infection of the object with unknown virus is displayed to a user. It states also the category this code may belong to. Dr.Web detects the following categories of suspicious objects by its heuristic: COM, EXE, WIN.EXE, TSR, MACRO, BOOT, CRYPT, SCRIPT, BATCH, IRC, WORM.
If at Dr.Web scanner or SpIDer Guard work a message stating a possibility of infecting with one or another category of viruses is displayed we recommend you to send this suspicious object to Doctor Web, Ltd. technical support service for consideration having filled in a special form.
Hidden file - a file which, according to the security policy, is not displayed in the folder files list and is specially marked.
Hoax - a non-viral e-mail message written in a deliberately neutral tone. It contains a notification of a newly spread viral threat.
The majority of hoaxes possess one or several of the below going characteristics.
The virus name the hoax writer refers to does not observe rules of virus naming that are common to anti-virus companies.
The user is asked to find some file in Windows folder and delete it.
He is also asked to pass the warning message over to his friends and all the contacts in his address book.
Such mystification is not harmless yet. The mass-mailing of this useless message increases mail traffic loading and wastes users` time.
Dr.Web database hot adds-on are issued daily or several times per day.
Hyper Text Markup Language (HTML) - a standardized hypertext markup language used in WWW for Web - documents creation and publication.
It possess main functions necessary for hypermedia-documents composition: text formatting, drawings, video and sound and hyperlinks utilization, data search in WWW.
I
J
JavaScript - a script programming language developed by Netscape Communications Corporation. It is compatible with Java programming language. It is used for creation of Web-pages embedded scripts.
K
L
Logic bomb - a sort of Trojan Horse - a hidden program module embedded into developed earlier and widely used program. Such a module stays harmless till a certain condition upon which it activates (for example, some change in a file or certain date or time arrival).
Logic bombs are used sometimes as a sort of a computer sabotage.
M
Mail bomb - one enormously huge e-mail message or many (reaching thousands) messages sent to a user`s computer. This may result in the system crash.
Memory resident virus - a constantly present in memory virus written, as a rule, in Assembler or C languages.
Such viruses may cause a substantial infection and successfully oppose some anti-virus programs. Usually they are small in size. They stay always alert to proceed with their predetermined by the virus author task till the system is active, rebooted or switched off. They are activated and perform their malicious task when, for example, a certain condition takes place (a timer works, etc.).
All boot viruses are memory resident.
MtE viruse - a sort of polymorphic viruses created with the help of MtE (Mutant Engine). Such engine presents a special algorithm, responcible for encrypting and decrypting, and a decryptor`s engine which it appends to any object virus code.
Such decryptor is always different and does not have a single constant byte.
N
O
P
Patch - a sequence of instructions supplementing code of the existing program added by the program developer to improve the existing malfunction. Such sequence of instructions is introduced as a separate block or a file to the necessary place where a jump string is placed. Sometimes it serves as a means of an added function to the existing program version before a new version release where this function will be introduced in usual manner.
Plug-in (a plugged-in program) - an auxiliary program performing additional functions in main program. It can be downloaded together with the application and become visible as an option in respective menu. For example, a program of translating from English in Word for Windows.
Polymorphism - a technology with the help of which a virus changes its viral code and different copies of one and the same virus become different and do not coincide in a single of its bytes.
Polymorphic viruses or viruses with self-modified decryptors (as per N.Bezrukov). These are viruses which, in addition to the encryption virus code, utilize a special decrytion algorithm thus changing themselves in every new viral copy. The decryptor is not constant, it is unique for every virus copy.
Port - устройство сопряжения of a central processor or a computer main memory with other devices for data transfer purpose.
Protocol - a set of rules determining devices, programs and data processing systems interaction algorithm.
Protocol POP (Post Office Protocol)- an Internet protocol of dynamic access to a server mail box from a workstation.
Protocol SMTP (Simple Mail Transfer Protocol) - an Internet protocol of dynamic access to the workstation mailbox from a server.
Q
R
Registry - a hierarchical database in which an operating system stores all the system information, namely, the system configuration, various parameters values, information on programs installed, etc. The registry values can be modified by a user in a Regystry Editor window.
Registry key - a record in the registry, a unique identifier of the information stored in the registry.
Revisor - a program which, from time to time, checks changes in potentially infected files comparing all the system parts with standard.
At the beginning Revisor stores files and sectors checksum data and then it verifies the conformity of standard and current checksum data. It comes into action if they do not coincide (in a result of a virus intrusion).
Revisor makes it possible to detect a virus activity after the infection took place and in some cases to restore the files data as it was before the infection.
Still, it can not determine why the changes in the program occurred, either it was damaged with a virus or it was just retranslated.
S
Script - a program, a special type of a program code written as a rule in interpertable (non-compiling) language and containing commands-instructions.
Script virus - viruses written in Visual Basic, Basic Script, Java Script or Jscript languages.
They usually come to the users` computers in the form of e-mail messages containing attachments with script files.
Programs written in Visual Basic and Java Script languages may come as separate files or be embedded into an HTML-document. In such case they will be interpreted by a browser either from a server or from a local disk.
Shareware soft - a computer software released for free evaluation but программное обеспечение, но предполагающее оплату его автору.
If, after a trial evaluation, a user does not want to utilize this software he must delete it from the computer.
Unauthorized software usage без оплаты автору is considered pirating.
Stealth virus - a virus program undertaking special steps to disguise its activity in order to hide its presence in the infected objects. So-called "stealth" technology makes difficult:
- A virus detection in operating memory
- Virus tracing and disassembling
- Virus detection in an infected program or a boot sector.
System file - a file containing one of the operating system's modules or a set of data used by such system.
T
Target file formats
- .bat - batch file format
- .bin - binary file format
- .com - command file format, a sort of an executable, can not exceed 64 Kb.
- .dll - dynamic link library file format
- .elf - executable file format in OS Linux/UNIX
- .exe - executable file format
- .ini - configuration file format
- .sys - system file format
Time bomb - a sort of logic bombs where a hidden module is activated at specific time.
Trojan Horse - a computer program containing a hidden module which performs unauthorized by a user actions at his computer. These actions may be nondestructive, still, they may cause substantial harm to a system.
Trojan programs - vandals misplace one of often run programs, perform its functions or imitate such performance, carry out different malicious actions -delete files, folders, format disks, send passwords or other confidential information from the user's computer.
Trojan programs became widely spread due to BBS appearance. Some Trojan Horses can contain mechanism of updating of its components via Internet.
Types of viruses. Depending on the infected object type all computer virus programs can be classified according to the following types:
- File viruses - viruses infecting binary files (as a rule they are executable files or dynamic link library files). Often such files have extensions .EXE, .COM, .DLL, .SYS. They can also infect files with extensions .DRV, .BIN, .OVL and .OVY.
These viruses embed into system files, activate at the infected program run and then propagate.
- Boot viruses - viruses infecting Boot records of diskettes, hard drives sections and hard drives MBR (Master Boot Record).
- Macroviruses - viruses infecting document files utilized by Microsoft Office applications and other programs containing macrocommands (usually written in Visual Basic language).
A favourable factor for such viruses spreading is the fact that all the main Microsoft Office components may contain embedded programs (macroses) written in full-functional programming language and in Microsoft Word these macroses are automatically run when you open, close, store or create any document.
Besides, there is a so-called global template NORMAL.DOT in which macroses can be automatically run when you open any document. As copying of macroses from one document to another (and into a global template as well) is made with a single key stroke Microsoft Word environment is ideal for existence of macroviruses such as W97M.Thus.
U
V
Variant - a modified variant of one and the same virus. Alterations to a viral code can be introduced both by the virus author and by a strange person as well.
VBScript - a scripts programming language developed by Microsoft Corporation. It represents a Visual Basic language family designed for creation of scripts embedded into Web-pages. It is supported by MS Internet Explorer browser.
Virus-companion - belong to file viruses.
Such viruses make use of DOS peculiarity allowing program files with the same name but different extensions run with various priority.
By priority they mean a sign given to a task, a program or an operation determining the sequence of their execution by a computer.
Most of such viruses create a .COM-file which possesses higher priority than .EXE-files with the same name. If you run a file indicating just its name (without mentioning its extension) a .СОМ.-file will be run.
Such viruses can stay resident and masquerade двойники-files.
Viral code (Signature) - a system of symbols and uniform rules of their interpretation used to represent the information in the data form. It presents a sequence of symbols and bytes which, as supposed, are peculiar and therefore can be detected in one definite virus, in each and every of its copies but only in it. Anti-virus scanners use viral code for a virus detection.
Polymorphic viruses do not have signatures.
Virus database of Dr.Web - contains information on the viral codes fragments (signatures) known to such anti-virus program. It also stores all the necessary data for recovering (disinfecting) of the damaged with a virus objects.
What is the most important of an anti-virus? Its ability to protect against viruses. This protection is secured, among other conditions, by adding the virus entries (signatures) to the base allowing to detect viruses. But the quantity of entries included in the base says nothing about the ability of an anti-virus program to detect viruses.
The virus base of each anti-virus program has its own structure. Not all viruses are unique. There are families of related (similar) viruses, there are viruses designed by special virus constructors- programs for creation of viruses. All of them are very similar. Some developers of anti-virus programs name each such virus with separate entry, which increases the size of the virus base. The Dr.Web virus bases is designed differently; a single entry in it allows to detect tens, or hundreds, or even thousands similar viruses. Even smaller number of virus entries, comparing to some other anti-virus programs, allows to detect with great likelihood yet unknown viruses (not included into the virus base), which will be created on the basis of already existing viruses.
Let us summarize what a user benefits from the small size of the Dr.Web virus base
- It spares space on the hard drive
- It spares main computer memory resources
- It spares Internet traffic when downloading the updates
- It provides for quick installation of the virus base and its processing when
- analyzing viruses
- It allows to detect viruses which will be created in future by modifying the existing viruses
Virus infected attachments formats
Visual Basic language - a high level programming language developed by Microsoft Corporation.
W
"Wild" - "Wild" - a computer environment. An expression "a virus "in the wild" means that such a virus have caused computers or sites infection outside an anti-virus laboratory.
A "wild virus" list made up by Joe Wells contains a list of most frequently met viruses on computers all over the world.
Worm-virus - a parasitic program capable of self-propagation. It can spread copies of itself but can not affect other computer programs.
It propagates via e-mail (often in the form of an attachment to an e-mail message of via Internet) and mass-mails its malicious copies to other computers.
X
Y
Z
Zoo-virus - a virus existing only within anti-virus laboratories, in virus researchers` collections and is not met in the "wild".