Synonyms: Virus, Computer virus, Malicious program
Today the term virus is often loosely used to refer to any type of malicious program, or is used to describe any ‘bad thing’ that a malicious program does to a host system. Strictly speaking, however, a virus is defined as program code that replicates.
Of course, this simple definition leaves plenty of scope for further sub-division. Sometimes viruses are further classified by the types of object they infect. For example, boot sector viruses, file viruses, macro viruses.
Or they may be classified by the method they use to select their host. ‘Indirect action file viruses’ load into memory and hook into the system such that they can infect files as they are accessed. Conversely, ‘direct action file viruses’ do not go memory resident, simply infecting a file (or files) when an infected program is run and then ‘going to sleep’ until the next time an infected file is run.
Another way of classifying viruses is by the techniques they use to infect. There are ‘appending viruses’ that add their code to the end of a host file, ‘prepending viruses’ that put their code at the start of a host file and overwriting viruses that replace the host file completely with their own code. By contrast, companion viruses and link viruses avoid adding code to a host file at all.
Then there are stealth viruses that manipulate the system to conceal changes they make and polymorphic viruses that encrypt their code to make it difficult to analyze and detect.
Of course, there are also viruses that fail to work: they either fail to infect or fail to spread. Such would-be viruses are sometimes referred to as ‘wanabees’.
A specific type of virus where the infected code is stored not in the host program, but in a separate ‘companion’ file. For example, the virus might rename the standard NOTEPAD.EXE file to NOTEPAD.EXD and create a new NOTEPAD.EXE containing the virus code. When the user subsequently runs the Notepad application, the virus will run first and then pass control to the original program, so the user doesn’t see anything suspicious.
A cache is used to store data temporarily, typically recently accessed files (cache memory, disk cache or web browser cache, for example). Since accessing the cache is quicker than accessing regular Random Access Memory [RAM] or disk, files stored in the cache can be accessed without the need for the processor to carry out the more intensive work of reading data from regular memory or disk.
Synonyms: Command line, Command Line Prompt, Command Prompt, DOS prompt
The command line provides a keyboard-driven interface between a computer and the user. The user types in a command and the computer processes the appropriate instruction for that command, after which it displays a specified prompt indicating to the user that the system is ready for further commands.
MS-DOS was a command line driven system. Microsoft® Windows®, by contrast, offers a Graphical User Interface [GUI] and the means to input instructions using a mouse (in addition to command line access. Most Unix-based operating systems also offer both command line and GUI interfaces.
CARO, set up in December 1990, is an informal forum in which anti-virus experts who trust each other could exchange ideas and information on malware.
This general description, first used in the wake of the Nimda outbreak in September 2001, is used to describe those threats that come as a composite ‘bundle’ of malicious programs, using several mechanisms to spread and/or attack their victims. This includes the following.
In the days when MS-DOS was the primary PC operating system, the term ‘multipartite’ was used to describe viruses that used more than one technique to spread (infecting programs and system sectors).
Synonyms: Packed file
A compressed file is one where the data belonging to the file has been reduced in size to save space or data transmission time. For example, software developers make use of various compression utilities to reduce the size of installation files distributed on removable media. At run-time, of course, the file is de-compressed automatically, with no user intervention needed.
There are thousands of different compression methods and the compression algorithms used by them vary. At the simplest level, however, compression could be as straightforward as removing repeating characters in a file (a data area in a program, for example, may be initialized with zeroes) and replacing them with a short marker that specifies how many bytes have been removed and what character should be there.
While compression is used in legitimate programs, it is also used by authors of malicious code. It is very common for Trojans, in particular, to be released in compressed form (and sometimes re-released in a re-packaged form).
A cookie is the name given to a small piece of information saved to a user’s machine by a web site that the user visits. Cookies are often used to store user preferences about a web site, login information or even advertising information that has been displayed to the user during their visit to the site.
Synonyms: Worm, Email worm, Internet worm, Network worm
Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers.
From a user’s perspective, there are observable differences. In the case of a virus, the longer it goes undetected, the more infected files there will be on the victim computer. In the case of a worm, by contrast, there is just a single instance of the worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added to existing files on the disk.
Like viruses, worms are often sub-divided according to the means they use to infect a system. E-mail worms are distributed as attachments to e-mail messages, IM worms are attached to messages sent using instant messaging programs (such as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread. Network worms spread directly over the LAN [Local Area Network] or across the Internet, often making use of a specific vulnerability.
The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network.