|
Glossary of Virus Terms |
A B C D
E F G H I J K L
M N O P Q R
S T U V W
X Y Z
Armored Virus
An armored virus is one which uses special tricks to make the tracing,
disassembling and understanding of their code more difficult. A good example
is the Whale virus.
Back to Top
Boot Record
The program recorded in the Boot Sector. All floppies have a boot record,
whether or not the disk is actually bootable. Whenever you start or reset
your computer with a disk in the A: drive, DOS reads the boot record from
that diskette. If a boot virus has infected the floppy, the computer first
reads the virus code in (because the boot virus placed its code in the
boot sector), then jumps to whatever sector the virus tells the drive to
read, where the virus has stored the original boot record.
Boot Sector
The first logical sector of a drive. On a floppy disk, this is located
on side 0 (the top), cylinder 0 (the outside), sector 1 (the first sector.)
On a hard disk, it is the first sector of a logical drive, such as C: or
D:. This sector contains the Boot Record, which is created by FORMAT (with
or without the /S switch.) The sector can also be created by the DOS SYS
command.
Boot Sector Infector
Every logical drive, both hard disk and floppy, contains a boot sector.
This is true even of disks that are not bootable. This boot sector contains
specific information relating to the formatting of the disk, the data stored
there and also contains a small program called the boot program (which
loads the DOS system files). The boot program displays the familiar "Non-system
Disk or Disk Error" message if the DOS system files are not present. It
is also the program that gets infected by viruses. You get a boot sector
virus by leaving an infected diskette in a drive and rebooting the machine.
When the program in the boot sector is read and executed, the virus goes
into memory and infects your hard drive. Remember, because every disk has
a boot sector, it is possible (and common) to infect a machine from a data
disk. All "boot viruses" infect the boot sector of floppy disks; some of
them, such as Form, also infect the boot sector of hard disks. Other boot
viruses infect the master boot sector of hard disks.
Boot Virus
A term that describes those viruses which place their starting code
in the boot sector of floppies, and either the boot sector or master
boot sector of hard disks. Viruses which also infect files are sometimes
known as multipartite viruses. BSIBoot Sector Infector: a virus
which takes control when the computer attempts to boot (as opposed to a
file infector).
Back to Top
CMOS
Complementary Metal Oxide Semiconductor: A memory area that is used
in AT and higher class PCs for storage of system information. CMOS is battery
backed RAM (see below), originally used to maintain date and time information
while the PC was turned off. CMOS memory is not in the normal CPU address
space and cannot be executed. While a virus may place data in the CMOS
or may corrupt it, a virus cannot hide there. Companion VirusA companion
virus is one which, instead of modifying an existing file, creates a new
program which (unknown to the user) gets executed by the command-line interpreter
instead of the intended program. (On exit, the new program executes the
original program so that things will appear normal.) The only way this
has been done so far is by creating an infected .COM file with the same
name as an existing .EXE file. Note that those integrity checkers which
look only for modifications in existing files will fail to detect such
viruses. (Note that not all researchers consider this type of malicious
code to be a virus, since it does not modify existing files.)
Back to Top
Detecting Boot Viruses
The best way to determine if you have any virus is to scan with an
antivirus program. If you do not have an antivirus program, one of the
following symptoms may indicate the presence of a boot virus.
Attempts to write to a write-protected disk. A boot sector virus in
memory spreads by writing to the floppy boot record. If the virus tries
to write to a write-protected disk, DOS generates the message "write-protect
error writing drive [drive letter]. The DOS command CHKDSK reports less
than 655,360 bytes (640K) total memory.
Notes:
If a boot virus is detected in memory when the system is booted from
a floppy disk, then the boot disk is also infected. You must boot your
system from a clean, write-protected disk to remove the virus. If the system
does not boot directly from the A: drive, then you must change the boot
order in the CMOS setup to
A:; C:. Refer to your system documentation
for instructions on how to make this change. The only way a hard drive
becomes infected with a boot virus is through an infected floppy disk.
After you repair the hard drive, you must scan all your floppy disks. If
you boot or attempt to boot your machine with an infected disk, you will
reinfect the hard drive.
Back to Top
False Positive, False Negative
A false positive (or Type-I) error is one in which the anti-virus software
claims that a given file is infected by a virus when in reality the file
is clean. A false negative (or Type-II) error is one in which the software
fails to indicate that an infected file is infected. Clearly false negatives
are more serious than false positives, although both are undesirable.
In the case of virus scanners, false positives are rare, but they can arise if the scan string chosen for a given virus is also present in some benign programs because the string was not well chosen. False negatives are more common with virus scanners because scanners will miss a completely new or a heavily modified virus.
One other serious problem could occur: A positive that is misdiagnosed (e.g., a scanner that detects the Stoned.Empire virus in a boot record but reports it as the Stoned.Standard). In the case of a boot sector infector, use of a Stoned specific "cure" to recover from the Empire could result in an unreadable disk or loss of extended partitions. Similarly, sometimes "generic" recovery can result in unusable files, unless a check is made (e.g. by comparing checksums) that the recovered file is identical to the original file. Some more recent products store information about the original programs to allow verification of recovery processes.
Fast Infector
A typical file infector (such as the Jerusalem) copies itself to memory
when a program infected by it is executed, and then infects other programs
when they are executed.
A fast infector is a virus which, when it is active in memory, infects not only programs which are executed, but even those which are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected all at once. Examples are the Dark Avenger and the Frodo viruses.
The term slow infector is sometimes used for a virus which, if it is active in memory, infects only files as they are modified (or created). The purpose is to fool people who use integrity checkers into thinking that the modification reported by the integrity checker is due solely to legitimate reasons. An example is the Darth Vader virus.
FDISK /MBRMS-DOS 5.0 or higher:
If you have MS-DOS 5.0 or higher, you can use the DOS command FDISK
/MBR to remove all viruses which infect the
master
boot sector and which do not encrypt it. This option should
be used only when all other attempts to repair have failed. Using FDISK
/MBR can sometimes produce unexpected results, causing unrecoverable damage
to your system. Here's how to do it:
Power off the machine. Place a clean, write-protected system disk in A: drive, and then power on the computer. NOTE: For this option to work correctly, you must boot from the same version of DOS that is installed on the hard drive. Using a different version of DOS could adversely affect the system information on your hard disk. From the A: prompt, type: C:\DOS\FDISK /MBR and then press Enter. Power off the computer when you see the prompt again. (You will normally see no message from the command in the previous step.). Restart the computer normally, and then scan with your anti-virus software to verify that the virus is gone.
Notes:
If the boot virus is detected in memory when the system is booted from
a "clean" floppy disk, then that boot disk is also infected. You must boot
your system from a clean, write-protected disk to remove the virus. If
the system does not boot directly to the A: drive, then you must change
the boot order in the CMOS setup to
A:; C:. Refer to your system
documentation for instructions on how to make this change. The only way
a hard drive becomes infected with a boot virus
is through an infected floppy disk. After you repair the hard drive, you
must scan all your floppy disks. If you boot or attempt to boot your machine
with an infected disk, you will reinfect the hard drive. See also SYS.
File Infectors
These are viruses that attach themselves to (or replace) .COM and .EXE
files, although in some cases they can infect files with extensions .SYS,
.DRV, .BIN, .OVL and .OVY. The most common file viruses are resident viruses,
going into memory at the time the first copy is run, and taking clandestine
control of the computer. Such viruses commonly infect additional programs
as you run them. But there are many non-resident viruses, too, which simply
infect one or more files whenever an infected file is run.
Back to Top
In the Wild
A term that indicates that a virus has been found in several organizations
somewhere in the world. It contrasts the virus with one which has only
been reported by researchers. Despite popular hype, most viruses are "in
the wild" and differ only in prevalence. Some are new and therefore extremely
rare. Others are old, but do not spread well, and are therefore extremely
rare. Joe Wells maintains a list of those he knows of to be "in the wild".
Back to Top
Macro Virus
A new kind of virus, the macro virus, consists of instructions in Word
Basic or some other macro language, and resides in documents. While we
do not think of documents has capable of being infected, any application
which supports macros that automatically execute is a potential platform
for macro viruses. Because documents are now even more widely shared than
diskettes (through networks and the Internet), document-based viruses are
likely to dominate our future.
Master Boot Record
The 340-byte program located in the Master
Boot Sector. This program begins the boot process. It reads the partition
table, determines what partition will be booted from (normally C:), and
transfers control to the program stored in the first sector of that partition,
which is the Boot Sector. The Master Boot Record
is often called the MBR, and often called the "master boot sector" or "partition
table." The master boot record is created when FDISK or FDISK /MBR is run.
Master Boot Sector
The first sector of the hard disk to be read. This sector is located
on the top side ("side 0"), outside cylinder ("cylinder 0"), first sector
("sector 1.") The sector contains the Master
Boot Record.
Master Boot Sector Virus
A virus that infects the master boot sector spreads through the boot
sector of floppy disks.
If you boot or attempt to boot your system with an infected floppy disk, NYB loads into memory and then writes itself to the master boot sector on the hard drive. If the disk is not bootable, you see the DOS error message "Non-system disk or disk error..." If the disk is bootable, the system boots to the A: prompt. Either way the system is infected, and there is no indication on the screen that this has happened.
Once the hard drive is infected, NYB loads into memory each time the system is booted. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy DOS accesses.
Multipartite Virus
A virus that infects both the boot area and files. Removal of multipartite
virsues requires cleaning both boot sectors and infected files. Before
you attempt the repair, you must have a clean, write-protected boot disk
that can boot your system from A: and allow you to access your hard drive.
(If you are running any disk manager or drive overlay software, contact
your vendor for a suitable boot disk.)
For Windows 95 any one of
the following disks are suitable, as long as they were created before the
time of infection:Windows 95 Startup disk Disk #1 of the original MS-DOS
installation disks (MS-DOS 5.x or above) your anti-virus software's rescue
disk Boot disk created on a clean PC (MS-DOS 5 or greater)For DOS/Windows,
any of the previous disks other than the Windows 95 Startup disk will work.
If you don't have a system disk, you can make one from a verified uninfected
machine or ask a computer store to make one for you. (To create a boot
disk from a clean PC, insert a blank diskette in the A: drive, then type
format a: /s at the C: prompt in DOS.) If your anti-virus software finds
the virus in memory it may halt your system. If this happens during the
removal procedures, there can be only two causes: either your boot disk
is also infected or your boot sequence in your CMOS points to your C: drive,
then your A: drive. Try another boot disk and/or make sure the boot sequence
is A: C:. Run your anti-virus scanner twice, if it is able to clean this
virus. If, on the second pass, it still finds infection, run it a third
time. If infection is still found, use a different approach. If your anti-virus
software is unable to repair infected files, it may be due to the nature
of the damage, or a weakness in the product. (Be sure you are using the
latest version!). If your scanner cannot clean an infected file, you might
wish to delete the infected file and copy a new one onto your hard drive
from an installation diskette.
Back to To
P
Polymorphic
A polymorphic virus is one which produces varied (yet fully operational)
copies of itself, in the hope that virus scanners will not be able to detect
all instances of the virus.
One method to evade signature-driven virus scanners is self-encryption
with a variable key; however these viruses (e.g. Cascade) are not termed
"polymorphic," as their decryption code is always the same and thus can
be used as a virus signature even by the simplest, signature- driven virus
scanners (unless another virus or program uses the identical decryption
routine).
One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind.
A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules.
The advent of polymorphic viruses has rendered virus-scanning an ever
more difficult and expensive endeavor; adding more and more search strings
to simple scanners will not adequately deal with these viruses.
Back to Top
R
RAM
Random Access Memory: the place programs are loaded into in order to
execute; the significance for viruses is that, to be active, they must
grab some of this for themselves. However, some virus scanners may declare
that a virus is active simply when it is found in RAM, even though it might
be simply left over in a buffer area of RAM rather than truly being active.
Resident
A property of most common computer viruses. A resident virus is one
which loads into memory, hooks one or more interrupts, and remains inactive
in memory until some trigger event. When the trigger event occurs, the
virus becomes active, either infecting something or causing some other
consequence (such as displaying something on the screen.) All boot viruses
are resident viruses, as are the most common file viruses.
Back to Top
S
Slow Infector
See Fast Infector.
Sparse Infector
The term sparse infector is sometimes given to a virus which infects
only occasionally, e.g. every 10th executed file, or only files whose lengths
fall within a narrow range, etc. By infecting less often, such viruses
try to minimize the probability of being discovered by the user.
Stealth virus
A virus that uses any of a variety of techniques to make itself more
difficult to detect. A stealth boot virus will typically intercept attempts
to view the sector in which it resides, and instead show the viewing program
a copy of the sector as it looked prior to infection. A stealth file virus
will typically not show any size increase when you issue the "DIR" command.
Stealth viruses must be "active" or running in order to exhibit their stealth
qualities. A stealth virus is one which hides the modifications
it has made in the file or boot record, usually by monitoring the system
functions used by programs to read files or physical blocks from storage
media, and forging the results of such system functions so that programs
which try to read these areas see the original uninfected form of the file
instead of the actual infected form. Thus the virus modifications go undetected
by anti-virus programs. However, in order to do this, the virus must be
resident in memory when the anti-virus program is executed. Example: The
very first virus that infected PCs and compatibles, Brain, a boot-sector
infector, monitors physical disk I/O and re-directs any attempt to read
a Brain-infected boot sector to the disk area where the original boot sector
is stored. The next viruses to use this technique were the file infectors
Number of the Beast and Frodo. Countermeasures: A "clean" system
is needed so that no virus is present to distort the results. Thus the
system should be built from a trusted, clean master copy before any virus-checking
is attempted; this is "The Golden Rule of the Trade." With DOS, (1) boot
from original DOS diskettes (i.e. DOS Startup/Program diskettes from a
major vendor that have been write-protected since their creation); (2)
use only tools from original diskettes until virus-checking has completed.
SYS
To clean a floppy disk, first boot clean (then scan memory to make
sure you have accomplished this), then use the SYS command, once you have
booted clean. You can also safely copy files from an infected disk to your
hard disk, then reformat the floppy, if you have booted clean. See also
FDISK
/MBR
Back to Top
T
TOM
Top Of Memory: the end of conventional memory, an architectural design
limit at the 640K mark on most PCs. Some early PCs may not be fully populated,
but the amount of memory is always a multiple of 64K. A boot-record virus
on a PC typically resides just below this mark and changes the value which
will be reported for the TOM to the location of the beginning of the virus
so that it won't get overwritten. Checking this value for changes can help
detect a virus, but there are also legitimate reasons why it may change
(see C11). A very few PCs with unusual memory managers/settings may report
in excess of 640K.
Trojan Horse
A trojan horse is a program that does something undocumented which
the programmer intended, but that the user would not approve of if he knew
about it. According to some people, a virus is a particular case of a Trojan
Horse, namely one which is able to spread to other programs (i.e., it turns
them into Trojans too). According to others, a virus that does not do any
deliberate damage (other than merely replicating) is not a Trojan. Finally,
despite the definitions, many people use the term "Trojan" to refer only
to a non-replicating malicious program, so that the set of Trojans and
the set of viruses are disjoint.
TSR
Terminate but Stay Resident: these are PC programs that stay in memory
while you continue to use the computer for other purposes; they include
pop-up utilities, network software, and the great majority of viruses.
These can often be seen using utilities such as MEM, MAPMEM, PMAP, F-MMAP
and INFOPLUS.
Back to Top
V
Virus
A virus is a piece of software designed and written to make additional
copies of itself and spread from location to location, typically without
user knowledge or permission. Viruses, by definition, add their code to
your system in such a way that when the infected part of the system executes,
the virus does to:
Boot viruses place their code in the sector whose code the machine will automatically execute when booting, so that when the machine boots, they load and run. After they are finished loading, they load the original boot code, which they have previously moved to another location. File viruses attach to executable program files in such a way that when you run the infected program, the virus code first executes. After the virus is finished loading and executing, it loads and executes the program it has infected. Macro viruses attach to templates and other files in such a way that, when an application loads the file and executes the instructions in it, the first instructions to execute are those of a virus. A companion virus attaches to the operating system, rather than files or sectors. In DOS, when you run a file named "ABC", the rule is that ABC.COM would execute before ABC.EXE. A companion virus places its code in a COM file whose first name matches the name of an existing EXE. You run "ABC", and the actual sequence is "ABC.COM", "ABC.EXE" Worms are similar to viruses in that they make copies of themselves, but differ in that they need not attach to particular files or sectors at all. Once a worm is executed, it seeks other systems - rather than parts of systems - to infect, then copies its code to them. Some viruses display symptoms, and some cause damage to files in a system they have infected. But neither symptoms nor damage are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank. There are no "good" viruses, simply because virus is code that was not intentionally installed by the user. Users must be able to control their computers, and that requires that they have the power to install and remove software; that no software is installed, modified, or removed without their knowledge and permission. A virus is surreptitiously self-installed. It may modify other software in the system without user awareness, and removal can be difficult and costly. Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus author. For instance, when a virus finds itself in a very different environment than that for which it was written, a non-destructive virus can suddenly become very destructive. A good case in point is the boot virus: while a particular boot virus might not contain any code to damage computers running Windows NT, booting an NT machine with such a virus is likely to be the end of the system. Even if a virus causes no direct damage to your computer, your inexperience with viruses can mean that damage occurs during the removal process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread. The social costs of infection include a loss of reputation and good will.