
[ Virus Term Explanation ] by: Ruzz
------------------------------------

For anyone related to the vX scene of the Underground, 99% of these
descriptions should be common knowledge.  Those not related to the vX
scene may recognise some of these descriptions.  This text outlines the
main descriptions used by vXers in the scene.

Here they are in all their glory!!


Boot Sector Infector: A virus which infects the original boot sector on
a floppy diskette. These viruses are particularly serious because
information in the boot sector is loaded into memory first, before
virus protection code can be executed. A "strict" boot sector infector
infects only the boot sector, regardless of whether the target is a
hard disk or a floppy diskette. Some viruses always attack the first
physical sector of the disk, regardless of the disk type.

Companion Virus: A viral program that does not actually attach to
another program, but which uses a similar name and the rules of program
precedence to associate itself with the regular program. This kind of
virus is also referred to as Spawning.

Dropper: An executable file that, when run, "drops" a virus. A
'Dropper' file has the capability to create a virus and infect the
user's system when it is executed. When a 'Dropper' file is scanned,
the scan will not detect a virus, because the viral code has not yet
been created. The viral code (and virus) is created when the 'Dropper'
file is executed. 

Encryption: A change made to data, code, or a file such that it can no
longer be read or accessed without processing (or unencrypting).
Viruses may use encryption in order to hinder detection by hiding their
viral code. Viruses may also encrypt (change) code or data on a system
as part of their payload. See also Polymorphic.

File Infector: A virus which attaches itself to, or associates itself
with, a file. File infectors usually append or prepend themselves to
regular program files or overwrite program code. The file-infector
class is also used to refer to programs that do not physically attach
to files but associate themselves with program filenames.

Hex: Short for hexadecimal. Hex- is a prefix for 6 and -decimal is a
suffix for 10, so this represents numbers in base 16. Because there are
more than 10 digits, values 10 through 15 are represented by letters A
through F respectively. This representation is used in computer
programming.

Hoax: This is usually an email that warns of a non-existant or a valid
virus that does more harm in spreading fear.

Hole (as in a "hole" in system memory): When DOS is starting, it begins
allocating areas of memory below 640 K, which are used to store
information. There are some places where there are gaps in the
allocated memory. These gaps are unallocated and unused, and they are
considered to be "holes" in system memory. A hole in system memory may
also be created in DOS because as DOS loads programs, it often rounds
off the amount of memory allocated to the program. For example, a
program might need 1025 Bytes (1Kb + 1 Byte). When DOS loads this
program, it may allocate 2Kb of memory for the program. Thus 1023 Bytes
are actually unused. This unused portion is considered a "hole". 

Joke Program: This is not a virus, but a program that may bring fear to
a user that their hard drive is being formated or their cd tray opens
and closes automatically.

Macro: A saved set of instructions that users may create or edit to
automate tasks within certain applications or systems. A Macro Virus is
a malicious macro that a user may execute inadvertently and that may
cause damage or replicate itself.

Master Boot Record (MBR)/Boot Sector Infector: A virus that infects the
system's Master Boot Record on hard drives and the Boot Sector on
floppy diskettes. This type of virus takes control of the system at a
low level by activating between the system hardware and the operating
system. A MBR/Boot Sector virus is loaded into memory upon boot-up,
before virus detection code can be executed.

Memory Resident: A program that stays in the active RAM of the computer
while other programs are running. Accessory software is often of this
type, as is activity monitoring and resident scanning software. Viruses
often attempt to "go resident". This is one of the functions an
activity monitor may check.

Multi-partite Virus: A virus that infects Master Boot Records, Boot
Sectors, and Files. 

Parasitic: A virus that requires a host to help it to spread.

Payload: The code within a virus that is not part of detection
avoidance replication capabilities. The payload code may cause text or
graphics to appear on the screen, or it may cause corruption or erasure
of data.

Polymorphic: A virus that attempts to evade detection by changing its
internal structure or its encryption techniques. Polymorphic viruses
change their "form" with each infection in order to avoid detection by
antiviral software that scans for signature "forms". Less sophisticated
systems are referred to as self-encrypting.

Spawning: A viral program that does not actually attach to another
program, but which uses a similar name and the rules of program
precedence to associate itself with the regular program. This kind of
virus is also referred to as a Companion Virus.

Stealth: A virus that uses one or more of various techniques to avoid
detection. A Stealth virus may redirect system pointers and information
in order to infect a file without actually changing the infected
program file. Another Stealth technique is to conceal an increase in
file length by displaying the original, uninfected file length.

System Hang: A complete failure of the operating system. When a program
fails, it usually has an opportunity to display an error or diagnostic
message. If the entire system fails, such a message will not appear,
and input is usually blocked (keystrokes and mouse clicks will be
ignored). In the worst cases, the system cannot be restarted without
turning the system off completely. 

Terminate-and-Stay-Resident: A program that remains active in memory
while other programs are run on the system. Examples of TSRs are
VShield, a DOS-based mouse, or a CD-ROM driver.

Trigger: An event that a virus writer has programmed the virus to watch
for, such as a date, the number of days since the infection occurred,
or a sequence of keystrokes. When the trigger event occurs, it
activates the virus, which then dispenses its payload.

Trojan Horse: A program that either pretends to have, or is described
as having, a set of useful or desirable features, but actually contains
a damaging payload. Most frequently the usage is shortened to "Trojan".
Trojan Horses are not technically viruses, since they do not replicate.

Tunneling: A virus that avoids standard interfaces to infect files.
This allows the virus to infect files without being noticed by a
behavior blocker.

VBS: New method of spreading viruses by using Visual Basic Scripting.
Not usually a problem, unless a user has either Windows 98, IE5 or
Outlook 98 or higher.  Will also work with IE4 which has VBScript
support installed.

Virus: A software program that attaches itself to another program in
computer memory or on a disk, and spreads from one program to another.
Viruses may damage data, cause the computer to crash, display messages,
or lie dormant. 

Worm: This is not technically a virus, but usually spreads via email or
irc (Internet Relay Chat). 

Regards,
Ruzz`
The Shadow Virus Group Admin