Virus terms and definitions can sometimes be confusing.

Use the virus glossary to learn what the various malicious code terms really mean. ActiveX

ActiveX controls are the modern rendition of OLE, or .OCX files. A simplistic example of OLE (Object Linking and Embedding) allows a user to embed the calculator into a word processor. ActiveX controls rely on the Windows operating system, requiring developers to create version specific controls. Unlike Sun's Java, ActiveX is able to interact with the operating system. The Kak worm is perhaps the most notorious malware to exploit vulnerabilities in ActiveX. Kak is a worm that spread simply by reading email - or even just displaying email in the preview pane - in Microsoft Outlook and Outlook Express. The Kak worm took advantage of a security vulnerability in two ActiveX controls, scriptlet.typelib and Eyedog. Behavior blocking monitors file activities, preventing certain modifications to the operating system or related files. For example, behavior blockers may monitor the registry, and warn users accordingly if a file being executed is attempting to modify the system registry. Some files, of course, do this legimately, i.e. a SETUP program. Others, however, have malicious intent and try to modify the registry to launch on every startup or when a particular access is made. Typically, behavior blocking software is permission-based, relying on the user to make the appropriate decision. While some find this method of behavior blocking intrusive, used properly it can be one of the best defenses against today's malware.
A buffer overrun attack occurs when a malicious user exploits an unchecked buffer in a program, overwriting the program code with their own data or causing it to react in a particular (i.e. malicious) way. This effectively changes the program operation to behavior dictated by the attacker. Buffer overrun exploits occur as the result of security vulnerabilities inherent in many products.

Cleaning or otherwise removing a virus infection is referred to as disinfection. In some instances, an infection cannot be disinfected and the file must simply be deleted. For example, a Trojan would always be deleted as it has no legitmate purpose. Conversely, a document infected with a macro virus would be cleaned. That is, the offending macro(s) would be removed while the document, and any non-infected macros, would be left intact. While disinfection can generally be accomplished with no resulting file damage, there is no absolute guarantee that the file can be restored to its original state. For this reason, some antivirus experts recommend always restoring infected files from a known clean backup, and relying on antivirus software only to detect the virus. Other antivirus experts believe disinfection is the preferred method, rather than requiring the user to have (a) made a backup, and (b) to restore it. Some independent testing facilities certify antivirus software on its ability not just to detect viruses, but also their accuracy in disinfecting them. In many cases, cleaning or disinfecting is not a viable option. To understand the distinctions, see Clean, Quarantine, or Delete.

A boot sector virus infects the boot sector of a drive and is spread via infected floppy disks. This usually occurs when users inadvertently leave a floppy disk in drive A:\. When the system is next started, the PC will attempt to boot from the floppy. If the disk is infected with a boot sector virus, that virus will infect the boot sector of the user's local drive (C:\). Unless the floppy disk is a bootable system disk, the user will simply see a standard warning that the drive contains a "non-system disk or disk error" and the user will be prompted to "replace the disk and press any key when ready". Most users will realize a floppy has been left in the drive, remove it, and reboot the system, unaware they may have just infected their system with a boot sector virus. Compared to other types of malware, a boot sector virus can be fairly benign - simply taking room up in memory. However, a boot sector virus can also contain a malicious payload. The simplest method to prevent a boot sector viruses is to change the CMOS settings to boot from the local C:\ drive first, rather than from floppy. Most modern BIOS is already configured to boot from the hard drive first. // File viruses infect executable files by inserting their code into some part of the original file so that the malicious code can be executed when the file is accessed. An overwriting file virus is one that overwrites the original file entirely, replacing it with the malicious code. File infecting viruses have targeted a range of operating system, including Macintosh, UNIX, DOS, and Windows. Overwriting viruses cause irreversable damage to the files. Loveletter, which operated as an email worm, file virus, and Trojan downloader, is a notorious example of a file overwriting virus. Loveletter searched for certain file types and overwrote them with its own malicious code, permanently destroying the contents of those files. Files affected by an overwriting virus cannot be disinfected and instead must be deleted and restored from backup.

// False positives occur when a pattern of code in the file matches the same pattern contained in a virus signature. This can occur due to a faulty signature or it can occur after improper disinfection by the same or different antivirus scanner. False positives can be more than just annoying. Repeated warnings that are erroneous cause the same effect as the boy who cried wolf. If too many false positives occur, when a legitimate warning is presented, users may disregard it. In other cases, a false positive can cause legitimate files to be deleted, causing the operating system or program to no longer function properly. If your antivirus scanner says a file is clean that you believe is actually infected, here are six steps to determine if a virus alert is legitimate.

Some users claim that behavior blocking results in too many false positives. In fact, the very nature of behavioral analysis is to prevent any unauthorized modifications to key system areas. In the case of behavior blocking, the prompting for user input is a desireable occurance and should not be categorized as a false positive. // Heuristic detection is generic detection designed to detect new or previously unseen malware. Heuristic scanning methods vary widely and may range from simply scanning the file more intensively to emulating the file's activities in a virtual sandbox. Because heuristic detection can be rather generic, it may be prone to false positives. To minimize the risks of false positives, some vendors may employ whitelisting. While heuristics can be useful for detection and prevention of new malware, heuristics are not generally adept at disinfection.

// Hoaxes are messages that claim to be warnings of real virus threats. There are even hoaxes that warn of other hoaxes being infected by viruses. Computer virus hoaxes have been around for nearly as long as the first virus. Hoaxes have only a single purpose and that is to spread to as many people as possible. Hoax messages generally include an admonishment to "forward this to everyone you know" and may even reference a seemingly legitimate source to gain credibility. For a list of popular email hoaxes, see the Hoax Encyclopedia. // In-the-Wild (ItW) refers to viruses or other malware that are actively circulating or actively infecting users' computers - as opposed to malware that exists in a laboratory (zoo) testing environment only. // Integrity checkers scan and maintain a database of sorts regarding pertinent information on all or critical system files. If a program attempts to modify one of these guarded files, the integrity checker will alert the user and prompt for input. Integrity checkers can be a valuable addition to help protect your system from malware, but they do require a certain level of user expertise - and tolerance. Integrity checkers are most often used in conjunction with whitelisting.

// Worm In contrast to viruses, computer worms are malicious programs that copy themselves from system to system, rather than infiltrating legitimate files. For example, a mass-mailing email worm is a worm that sends copies of itself via email. A network worm makes copies of itself throughout a network, an Internet worm sends copies of itself via vulnerable computers on the Internet, and so on.

// marco virus

Unlike typical file infecting viruses, macro viruses infect data files - chiefly files created in Word, Excel, PowerPoint, or even Access. Visual Basic macros are actually mini-programs embedded in the document, and thus have many of the same rights and abilities as the user who is logged on to the system. In Microsoft Office, macro viruses generally spread by first infecting the global template, (i.e. Normal.dot in Word), in turn infecting other documents as they are accessed. Exact methods can vary; for example, some macro viruses only infect currently open documents. As with any other malware, effects from a macro virus infection can range from benign annoyance to loss of critical data. In the late 1990s and early part of 2000, macro viruses were one of the more commonly encountered forms of infection. Though Microsoft has made several improvements designed to hamper the spread of macro viruses, macro viruses still continue to circulate to some extent. Because macro viruses infect data files and not program files, Macintosh users are generally susceptible to macro viruses as well.

// malware Malware is an abbreviation for malicious software and refers collectively to viruses, worms, trojans, adware, and spyware. Malicious software, or malware, is code that does something unexpected and undesirable to a computer system.

// payload Traditionally, a virus payload referred to action a virus might take beyond simply infecting files. This payload could range from the virus displaying a dialog box with the words "Have a Good Day" to a virus that overwrites or deletes files on the system. For example, the circa 1998 CIH virus had a payload to overwrite the Flash BIOS of systems, rendering those systems unbootable. LoveLetter also deployed a malicious payload as part of its routine, overwriting certain media file types. Today's malware is less likely to include a payload that damages files on the system, but instead typically include a payload that allows backdoor access to the system and steals passwords and other sensitive data.

// polymorphic virus

Polymorphic viruses change their code in an attempt to avoid detection by antivirus scanners. Essentially, the polymorphic virus encrypts itself in a different manner each time it infects, often requiring that specific signature be developed to search for each variety.

// Portable Executable A Portable Executable (PE_EXE) file is a program capable of running independently on any Windows 32-bit operating system (Windows 95, 98, NT, 2000, XP, and ME). Examples of PE_EXE files include calc.exe (the calculator program) and notepad.exe (Notepad). PE_EXE files do not have to have an EXE extension. A screensaver (.scr) is also considered a Portable Executable. // Scanner A scanner refers to the products and technology used by antivirus software vendors to detect and remove malicious code. Traditional virus scanners use signature detection. Scanners may work in realtime - scanning files for malicious code automatically as they are introduced to the system - or on demand - i.e. manual scans invoked by the user.

// Stealth viruses attempt to hide their presence to avoid detection. One method employed is to redirect calls made to the infected file. For example, the Brain virus, notorious for being the first PC virus in-the-wild, was also the first stealth virus. It infected boot sectors, hooking into INT13. If the virus were resident in memory, the boot sector would look normal.

// Definition: A Trojan is a self-contained, malicious program -- that is, it's a bit of software

code that does something bad to your computer. It doesn't replicate (as a worm would), nor does it infect other files (as a virus would). However, Trojans are often grouped together with viruses and worms, because they can have the same kind of harmful effect. Many of the the earlier Trojans were used to launch distributed denial-of-service (DDoS) attacks, such as those suffered by Yahoo and eBay in the latter part of 1999. Today, Trojans are most often used to gain backdoor access -- remote, surreptitious access -- to the computer. There are several different types of Trojans, including remote-access Trojans (RAT), backdoor Trojans (backdoors), IRC Trojans (IRCbots), and keyloggers. Many of these different characteristics can be employed in a single Trojan. For example, a keylogger that also operates as a backdoor may commonly be disguised as a game hack. IRC Trojans are often combined with backdoors and RATs to create collections of infected computers known as botnets.
// virus A virus infects other files, by injecting the malicious code into the code of the legitimate file. Viruses can infect both data and program files. For a more in-depth discussion of viruses in comparison to other forms of malware, see What is a Virus.

// worm In contrast to viruses, computer worms are malicious programs that copy themselves from system to system, rather than infiltrating legitimate files. For example, a mass-mailing email worm is a worm that sends copies of itself via email. A network worm makes copies of itself throughout a network, an Internet worm sends copies of itself via vulnerable computers on the Internet, and so on.