Glossary of Terms


Armored Virus

An armored virus is one which uses special tricks to make the tracing, disassembling and understanding of their code more difficult. A good example is the Whale virus.

Boot Record
The program recorded in the Boot Sector. All floppies have a boot record, whether or not the disk is actually bootable. Whenever you start or reset your computer with a disk in the A: drive, DOS reads the boot record from that diskette. If a boot virus has infected the floppy, the computer first reads the virus code in (because the boot virus placed its code in the boot sector), then jumps to whatever sector the virus tells the drive to read, where the virus has stored the original boot record.
Boot Sector
The first logical sector of a drive. On a floppy disk, this is located on side 0 (the top), cylinder 0 (the outside), sector 1 (the first sector.) On a hard disk, it is the first sector of a logical drive, such as C: or D:. This sector contains the Boot Record, which is created by FORMAT (with or without the /S switch.) The sector can also be created by the DOS SYS command.
Boot Sector Infector
Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. This boot sector contains specific information relating to the formatting of the disk, the data stored there and also contains a small program called the boot program (which loads the DOS system files). The boot program displays the familiar "Non-system Disk or Disk Error" message if the DOS system files are not present. It is also the program that gets infected by viruses. You get a boot sector virus by leaving an infected diskette in a drive and rebooting the machine. When the program in the boot sector is read and executed, the virus goes into memory and infects your hard drive. Remember, because every disk has a boot sector, it is possible (and common) to infect a machine from a data disk. All "boot viruses" infect the boot sector of floppy disks; some of them, such as Form, also infect the boot sector of hard disks. Other boot viruses infect the master boot sector of hard disks.
Boot Virus
A term that describes those viruses which place their starting code in the boot sector of floppies, and either the boot sector or master boot sector of hard disks. Viruses which also infect files are sometimes known as multipartite viruses.

Boot Sector Infector: a virus which takes control when the computer attempts to boot (as opposed to a file infector).

Complementary Metal Oxide Semiconductor: A memory area that is used in AT and higher class PCs for storage of system information. CMOS is battery backed RAM (see below), originally used to maintain date and time information while the PC was turned off. CMOS memory is not in the normal CPU address space and cannot be executed. While a virus may place data in the CMOS or may corrupt it, a virus cannot hide there.

Companion Virus
A companion virus is one which, instead of modifying an existing file, creates a new program which (unknown to the user) gets executed by the command-line interpreter instead of the intended program. (On exit, the new program executes the original program so that things will appear normal.) The only way this has been done so far is by creating an infected .COM file with the same name as an existing .EXE file. Note that those integrity checkers which look only for modifications in existing files will fail to detect such viruses.
(Note that not all researchers consider this type of malicious code to be a virus, since it does not modify existing files.)

Detecting Boot Viruses

The best way to determine if you have any virus is to scan with an antivirus program. If you do not have an antivirus program, one of the following symptoms may indicate the presence of a boot virus.

Attempts to write to a write-protected disk. A boot sector virus in memory spreads by writing to the floppy boot record. If the virus tries to write to a write-protected disk, DOS generates the message "write-protect error writing drive [drive letter].
The DOS command CHKDSK reports less than 655,360 bytes (640K) total memory.

If a boot virus is detected in memory when the system is booted from a floppy disk, then the boot disk is also infected. You must boot your system from a clean, write-protected disk to remove the virus.
If the system does not boot directly from the A: drive, then you must change the boot order in the CMOS setup to A:; C:. Refer to your system documentation for instructions on how to make this change.
The only way a hard drive becomes infected with a boot virus is through an infected floppy disk. After you repair the hard drive, you must scan all your floppy disks. If you boot or attempt to boot your machine with an infected disk, you will reinfect the hard drive.


False Positive, False Negative
A false positive (or Type-I) error is one in which the anti-virus software claims that a given file is infected by a virus when in reality the file is clean. A false negative (or Type-II) error is one in which the software fails to indicate that an infected file is infected. Clearly false negatives are more serious than false positives, although both are undesirable.

In the case of virus scanners, false positives are rare, but they can arise if the scan string chosen for a given virus is also present in some benign programs because the string was not well chosen. False negatives are more common with virus scanners because scanners will miss a completely new or a heavily modified virus.

One other serious problem could occur: A positive that is misdiagnosed (e.g., a scanner that detects the Stoned.Empire virus in a boot record but reports it as the Stoned.Standard). In the case of a boot sector infector, use of a Stoned specific "cure" to recover from the Empire could result in an unreadable disk or loss of extended partitions. Similarly, sometimes "generic" recovery can result in unusable files, unless a check is made (e.g. by comparing checksums) that the recovered file is identical to the original file. Some more recent products store information about the original programs to allow verification of recovery processes.

Fast Infector
A typical file infector (such as the Jerusalem) copies itself to memory when a program infected by it is executed, and then infects other programs when they are executed.
A fast infector is a virus which, when it is active in memory, infects not only programs which are executed, but even those which are merely opened. The result is that if such a virus is in memory, running a scanner or integrity checker can result in all (or at least many) programs becoming infected all at once. Examples are the Dark Avenger and the Frodo viruses.

The term slow infector is sometimes used for a virus which, if it is active in memory, infects only files as they are modified (or created). The purpose is to fool people who use integrity checkers into thinking that the modification reported by the integrity checker is due solely to legitimate reasons. An example is the Darth Vader virus.

MS-DOS 5.0 or higher: If you have MS-DOS 5.0 or higher, you can use the DOS command FDISK /MBR to remove all viruses which infect the master boot sector and which do not encrypt it. This option should be used only when all other attempts to repair have failed. Using FDISK /MBR can sometimes produce unexpected results, causing unrecoverable damage to your system. Here's how to do it:
Power off the machine.
Place a clean, write-protected system disk in A: drive, and then power on the computer. NOTE: For this option to work correctly, you must boot from the same version of DOS that is installed on the hard drive. Using a different version of DOS could adversely affect the system information on your hard disk.
From the A: prompt, type: C:\DOS\FDISK /MBR and then press Enter.
Power off the computer when you see the prompt again. (You will normally see no message from the command in the previous step.).
Restart the computer normally, and then scan with your anti-virus software to verify that the virus is gone.

If the boot virus is detected in memory when the system is booted from a "clean" floppy disk, then that boot disk is also infected. You must boot your system from a clean, write-protected disk to remove the virus.
If the system does not boot directly to the A: drive, then you must change the boot order in the CMOS setup to A:; C:. Refer to your system documentation for instructions on how to make this change.
The only way a hard drive becomes infected with a boot virus is through an infected floppy disk. After you repair the hard drive, you must scan all your floppy disks. If you boot or attempt to boot your machine with an infected disk, you will reinfect the hard drive.
See also SYS.
File Infectors
These are viruses that attach themselves to (or replace) .COM and .EXE files, although in some cases they can infect files with extensions .SYS, .DRV, .BIN, .OVL and .OVY. The most common file viruses are resident viruses, going into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional programs as you run them. But there are many non-resident viruses, too, which simply infect one or more files whenever an infected file is run.



In the Wild
A term that indicates that a virus has been found in several organizations somewhere in the world. It contrasts the virus with one which has only been reported by researchers. Despite popular hype, most viruses are "in the wild" and differ only in prevalence. Some are new and therefore extremely rare. Others are old, but do not spread well, and are therefore extremely rare. Joe Wells maintains a list of those he knows of to be "in the wild".





Macro Virus

A new kind of virus, the macro virus, consists of instructions in Word Basic or some other macro language, and resides in documents. While we do not think of documents has capable of being infected, any application which supports macros that automatically execute is a potential platform for macro viruses. Because documents are now even more widely shared than diskettes (through networks and the Internet), document-based viruses are likely to dominate our future.

Master Boot Record
The 340-byte program located in the Master Boot Sector. This program begins the boot process. It reads the partition table, determines what partition will be booted from (normally C:), and transfers control to the program stored in the first sector of that partition, which is the Boot Sector. The Master Boot Record is often called the MBR, and often called the "master boot sector" or "partition table." The master boot record is created when FDISK or FDISK /MBR is run.

Master Boot Sector
The first sector of the hard disk to be read. This sector is located on the top side ("side 0"), outside cylinder ("cylinder 0"), first sector ("sector 1.") The sector contains the Master Boot Record.

Master Boot Sector Virus

A virus that infects the master boot sector spreads through the boot sector of floppy disks.
If you boot or attempt to boot your system with an infected floppy disk, NYB loads into memory and then writes itself to the master boot sector on the hard drive. If the disk is not bootable, you see the DOS error message "Non-system disk or disk error..." If the disk is bootable, the system boots to the A: prompt. Either way the system is infected, and there is no indication on the screen that this has happened.

Once the hard drive is infected, NYB loads into memory each time the system is booted. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy DOS accesses.

Multipartite Virus
A virus that infects both the boot area and files. Removal of multipartite virsues requires cleaning both boot sectors and infected files. Before you attempt the repair, you must have a clean, write-protected boot disk that can boot your system from A: and allow you to access your hard drive. (If you are running any disk manager or drive overlay software, contact your vendor for a suitable boot disk.) For Windows 95 any one of the following disks are suitable, as long as they were created before the time of infection:
Windows 95 Startup disk
Disk #1 of the original MS-DOS installation disks (MS-DOS 5.x or above)
your anti-virus software's rescue disk
Boot disk created on a clean PC (MS-DOS 5 or greater)
For DOS/Windows, any of the previous disks other than the Windows 95 Startup disk will work.

If you don't have a system disk, you can make one from a verified uninfected machine or ask a computer store to make one for you. (To create a boot disk from a clean PC, insert a blank diskette in the A: drive, then type format a: /s at the C: prompt in DOS.)

If your anti-virus software finds the virus in memory it may halt your system. If this happens during the removal procedures, there can be only two causes: either your boot disk is also infected or your boot sequence in your CMOS points to your C: drive, then your A: drive. Try another boot disk and/or make sure the boot sequence is A: C:.
Run your anti-virus scanner twice, if it is able to clean this virus. If, on the second pass, it still finds infection, run it a third time. If infection is still found, use a different approach. If your anti-virus software is unable to repair infected files, it may be due to the nature of the damage, or a weakness in the product. (Be sure you are using the latest version!). If your scanner cannot clean an infected file, you might wish to delete the infected file and copy a new one onto your hard drive from an installation diskette.
Back to Top




A polymorphic virus is one which produces varied (yet fully operational) copies of itself, in the hope that virus scanners will not be able to detect all instances of the virus.

One method to evade signature-driven virus scanners is self-encryption with a variable key; however these viruses (e.g. Cascade) are not termed "polymorphic," as their decryption code is always the same and thus can be used as a virus signature even by the simplest, signature- driven virus scanners (unless another virus or program uses the identical decryption routine).

One method to make a polymorphic virus is to choose among a variety of different encryption schemes requiring different decryption routines: only one of these routines would be plainly visible in any instance of the virus (e.g. the Whale virus). A signature-driven virus scanner would have to exploit several signatures (one for each possible encryption method) to reliably identify a virus of this kind.

A more sophisticated polymorphic virus (e.g. V2P6) will vary the sequence of instructions in its copies by interspersing it with "noise" instructions (e.g. a No Operation instruction, or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g. Subtract A from A, and Move 0 to A). A simple-minded, signature-based virus scanner would not be able to reliably identify this sort of virus; rather, a sophisticated "scanning engine" has to be constructed after thorough research into the particular virus.

One of the most sophisticated forms of polymorphism discovered so far is the MtE "Mutation Engine" written by the Bulgarian virus writer who calls himself the "Dark Avenger". It comes in the form of an object module. Any virus can be made polymorphic by adding certain calls to the assembler source code and linking to the mutation-engine and random-number-generator modules.

The advent of polymorphic viruses has rendered virus-scanning an ever more difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.


Back to Top

Random Access Memory: the place programs are loaded into in order to execute; the significance for viruses is that, to be active, they must grab some of this for themselves. However, some virus scanners may declare that a virus is active simply when it is found in RAM, even though it might be simply left over in a buffer area of RAM rather than truly being active.

A property of most common computer viruses. A resident virus is one which loads into memory, hooks one or more interrupts, and remains inactive in memory until some trigger event. When the trigger event occurs, the virus becomes active, either infecting something or causing some other consequence (such as displaying something on the screen.) All boot viruses are resident viruses, as are the most common file viruses.

Slow Infector
See Fast Infector.

Sparse Infector
The term sparse infector is sometimes given to a virus which infects only occasionally, e.g. every 10th executed file, or only files whose lengths fall within a narrow range, etc. By infecting less often, such viruses try to minimize the probability of being discovered by the user.

Stealth virus
A virus that uses any of a variety of techniques to make itself more difficult to detect. A stealth boot virus will typically intercept attempts to view the sector in which it resides, and instead show the viewing program a copy of the sector as it looked prior to infection. A stealth file virus will typically not show any size increase when you issue the "DIR" command. Stealth viruses must be "active" or running in order to exhibit their stealth qualities.

A stealth virus is one which hides the modifications it has made in the file or boot record, usually by monitoring the system functions used by programs to read files or physical blocks from storage media, and forging the results of such system functions so that programs which try to read these areas see the original uninfected form of the file instead of the actual infected form. Thus the virus modifications go undetected by anti-virus programs. However, in order to do this, the virus must be resident in memory when the anti-virus program is executed.
Example: The very first virus that infected PCs and compatibles, Brain, a boot-sector infector, monitors physical disk I/O and re-directs any attempt to read a Brain-infected boot sector to the disk area where the original boot sector is stored. The next viruses to use this technique were the file infectors Number of the Beast and Frodo.

Countermeasures: A "clean" system is needed so that no virus is present to distort the results. Thus the system should be built from a trusted, clean master copy before any virus-checking is attempted; this is "The Golden Rule of the Trade." With DOS, (1) boot from original DOS diskettes (i.e. DOS Startup/Program diskettes from a major vendor that have been write-protected since their creation); (2) use only tools from original diskettes until virus-checking has completed.


To clean a floppy disk, first boot clean (then scan memory to make sure you have accomplished this), then use the SYS command, once you have booted clean. You can also safely copy files from an infected disk to your hard disk, then reformat the floppy, if you have booted clean.

See also FDISK /MBR


Top Of Memory: the end of conventional memory, an architectural design limit at the 640K mark on most PCs. Some early PCs may not be fully populated, but the amount of memory is always a multiple of 64K. A boot-record virus on a PC typically resides just below this mark and changes the value which will be reported for the TOM to the location of the beginning of the virus so that it won't get overwritten. Checking this value for changes can help detect a virus, but there are also legitimate reasons why it may change (see C11). A very few PCs with unusual memory managers/settings may report in excess of 640K.

Trojan Horse
A trojan horse is a program that does something undocumented which the programmer intended, but that the user would not approve of if he knew about it. According to some people, a virus is a particular case of a Trojan Horse, namely one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program, so that the set of Trojans and the set of viruses are disjoint.
Terminate but Stay Resident: these are PC programs that stay in memory while you continue to use the computer for other purposes; they include pop-up utilities, network software, and the great majority of viruses. These can often be seen using utilities such as MEM, MAPMEM, PMAP, F-MMAP and INFOPLUS.
Back to Top



A virus is a piece of software designed and written to make additional copies of itself and spread from location to location, typically without user knowledge or permission.
Viruses, by definition, add their code to your system in such a way that when the infected part of the system executes, the virus does to:
Boot viruses place their code in the sector whose code the machine will automatically execute when booting, so that when the machine boots, they load and run. After they are finished loading, they load the original boot code, which they have previously moved to another location.
File viruses attach to executable program files in such a way that when you run the infected program, the virus code first executes. After the virus is finished loading and executing, it loads and executes the program it has infected.
Macro viruses attach to templates and other files in such a way that, when an application loads the file and executes the instructions in it, the first instructions to execute are those of a virus.
A companion virus attaches to the operating system, rather than files or sectors. In DOS, when you run a file named "ABC", the rule is that ABC.COM would execute before ABC.EXE. A companion virus places its code in a COM file whose first name matches the name of an existing EXE. You run "ABC", and the actual sequence is "ABC.COM", "ABC.EXE"
Worms are similar to viruses in that they make copies of themselves, but differ in that they need not attach to particular files or sectors at all. Once a worm is executed, it seeks other systems - rather than parts of systems - to infect, then copies its code to them.

Some viruses display symptoms, and some cause damage to files in a system they have infected. But neither symptoms nor damage are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank.

There are no "good" viruses, simply because virus is code that was not intentionally installed by the user. Users must be able to control their computers, and that requires that they have the power to install and remove software; that no software is installed, modified, or removed without their knowledge and permission. A virus is surreptitiously self-installed. It may modify other software in the system without user awareness, and removal can be difficult and costly.

Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus author. For instance, when a virus finds itself in a very different environment than that for which it was written, a non-destructive virus can suddenly become very destructive. A good case in point is the boot virus: while a particular boot virus might not contain any code to damage computers running Windows NT, booting an NT machine with such a virus is likely to be the end of the system.

Even if a virus causes no direct damage to your computer, your inexperience with viruses can mean that damage occurs during the removal process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread. The social costs of infection include a loss of reputation and good will.





| Index | | Faq on Virus |