Glossary of terms

Adware
Access 97 macro virus
AppleScript Worm
Application
AutoCAD LISP (AutoLISP) virus
Batch file worm
BIOS
Bluetooth
Chain letter
CMOS settings
Companion virus
Controlled application
Controlled device
Corel Script virus
Dialer
Distributed Computing
DOS Boot Sector virus
DOS executable file virus
DOS worm
Dropped files
Dropper
Excel formula virus
Excel macro virus
Excel 97 macro virus
Exploit
False alarm
-Fam and -Gen
Hacking tool
HIPS
Java virus
JavaScript virus
JavaScript worm
Joke
Junk
Keystroke Logger
Linux executable file virus
Linux worm
Macintosh file virus
Macintosh worm
Macromedia Flash infector
Malicious behavior
Malware
MapBasic program
Master Boot Sector virus
Mid infecting
mIRC or pIRCH script worm
Misunderstanding
MSH virus
MMS

Name
Office 97 macro virus
PalmOS based executable virus
PHP Script virus
PowerPoint 97 macro virus
Prefix
Potentially unwanted application (PUA)
Publisher macro virus
Registry virus
Remote administration tool
Rootkit
Scam
Scare
SMS
Spyware
Spyware Trojan
Spyware Worm
Suffix
Suspicious behavior
Suspicious file
Symbian bluetooth worm
System monitor
Test file
Trojan
Trusted relay
Unix worm
Unspecified PUA
Virus
Virus hoax
Visual Basic Script virus
Visual Basic Script worm
VoIP (Voice Over IP)
Wi-Fi
Win16 executable file virus
Win32 executable file virus
Win32 worm
Windows 95 executable file virus
Windows 98 executable file virus
Windows NT executable file virus
Windows 2000 executable file virus
Word macro virus
Word 97 macro Trojan
Word 97 macro virus
Word 97 macro worm
Word 2001 macro virus
Worm
Windows Scripting Host virus
Zero-day

Adware is a type of advertising display software whose primary purpose is to deliver advertising content in a manner or context that may be unexpected and unwanted by users.

Does not replicate.

MS Access 97 or later on any operating system.

VBA macro language.

Infects other Access database files when an infected database is opened.

Sophos Anti-Virus reports these viruses with the prefix "AM97/". Prefixes used by other anti-virus companies include "A97M" and "AM".

AppleScript is the default batch language of Macintosh Operating Systems. As such the majority of applications that are installed on Macintosh computers are scriptable by AppleScript. An AppleScript worm is a script that uses the functionality of AppleScript to spread to other computers or scripts an email application to send itself out.

Sophos Anti-Virus reports these worms with the prefix "AplS/".

A utility that is generally considered by Sophos customers as being unsuitable for use on business networks.

Sophos reports these applications with the PUA type "Other".

Systems running AutoCAD software.

Places infected ACAD.LSP files in folders containing DWG files. Modifies the Global ACAD.LSP file to run a copy of itself.

Sophos Anti-Virus reports these viruses with the prefix "AL/".

Computers connected to a network with DOS, Windows 95/98/Me and Windows NT/2000 operating systems.

Batch file worms spread by searching for shared areas on remote computers to which they can copy themselves.

Sophos Anti-Virus reports these worms with the prefix "Bat/".

The BIOS is the very first piece of software which runs when your computer is switched on, so it must be present for your computer to work. Without it, your PC is effectively useless.

The BIOS is stored in special chip on the motherboard which maintains its contents even when the power is switched off. This is supposed to ensure that the BIOS is always there when you need it.

On many computers the BIOS can be upgraded using software supplied by the BIOS manufacturer. It can also be damaged by viruses such as W95/CIH-10xx and the damage may mean you cannot boot up your PC at all. If the BIOS chip cannot be replaced (some BIOS chips are soldered into position), you may even need to replace your computer's motherboard.

Bluetooth is a personal area network technology for short-range transmission of digital voice and data between laptops, mobile phones, and other portable handheld devices. Mobile viruses could be spread through Bluetooth transfers between computers and mobile devices, and between mobile devices.

An email which urges the recipient to forward the email to other people.

The CMOS settings maintain fundamental system configuration information, which is stored in a special chip on the motherboard. This chip, usually powered by a battery, can operate independently of the rest of the computer. It keeps things like the system clock up-to-date even when the power is switched off.

The CMOS settings also record what sort of disks are installed in the PC, whether or not a password is required at start-up, and which devices (e.g. floppy, hard disk, CD-ROM or network) should be used when trying to boot up the computer. If your CMOS settings are inaccurate, then your computer may not work properly.

Some viruses and trojans, such as Troj/KillCMOS-E, deliberately corrupt these settings to try to stop your computer working. Although it is usually fairly easy to correct the CMOS settings, the procedure for doing so varies from computer to computer. You may need to refer to your computer's manual or the manufacturer's website for assistance.

One of the CMOS settings is called the "boot sequence". This determines whether the computer will try to boot from floppy disk or not. Because accidentally booting from a floppy can introduce boot sector viruses such as Form, Sophos recommends changing this setting so that the computer routinely boots from the hard disk. Please read Guidelines for Safer computing.

A companion virus will rename either itself or its target file in an attempt to trick the user into running the virus rather than another program. For example, a companion virus attacking a file named GAME.EXE may rename the target file to GAME.EX and create a copy of itself called GAME.EXE. Alternatively it may simply rename itself to GAME.COM and rely on the user running 'GAME' from a command prompt as the operating system would then run GAME.COM rather than GAME.EXE.

There is no standard naming convention for this type of virus.

A controlled application is a legitimate program but one which Sophos recognizes that some IT administrators might wish to block or authorize, depending on the application's usefulness within a business environment, and its potential impact on business productivity and resources.

Sophos Anti-Virus reports these applications by their name.

A controlled device is a storage device or network interface which some IT administrators might wish to block or authorize. An administrator's decision will depend on whether the device has a legitmate use within a business environment, and the potential risk it poses in terms of malware infection and/or data loss.

Sophos Anti-Virus reports these devices by their type.

Corel SCRIPT files running under any operating system.

When an infected script is run it infects other Corel SCRIPT files.

Sophos Anti-Virus reports these viruses with the prefix "CSC/".

Any application whose primary function is to dial a premium rate phone number.

Sophos reports these applications with the PUA type "Dialer".

Distributed Computing is the remote use of many decentralized and separate computers, connected by a network (usually the internet), to solve large-scale computation problems. Examples include SETI@Home and the BBC Climate Change Experiment.

DOS Boot Sector (aka DOS Boot Record) of hard disks and boot sector of floppy disks.

DOS Boot Sector viruses can infect any Intel-compatible PC which is configured to boot from a floppy drive.

More secure operating systems such as Windows NT can be infected but may prevent the virus from replicating.

Loads into memory when an infected PC is booted and then infects any floppy disk used in the PC. A PC which boots from an infected floppy disk becomes infected.

There is no standard naming convention for this type of virus.

Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect.

There is no standard naming convention for this type of virus.

Affects DOS executables on a system by overwriting them. Traditionally spreads to other systems by means of floppy disk exchange.

Sophos Anti-Virus does not report these worms with a special prefix.

Dropped files are files that have been dropped by a virus, Trojan or worm and are detected by Sophos Anti-Virus. They include damaged versions of the original program.

Does not replicate.

There is no standard naming convention for this type of virus.

A file created specifically to introduce a virus, worm or Trojan into a system. The file may be of a different type to the virus, worm or Trojan it introduces.

There is no standard naming convention for this type of virus.

MS Excel 5 or later running on any operating system.

When an infected document is opened the viral formula sheet is copied into a file in the XLSTART directory. This is automatically loaded into other documents when they are opened.

Sophos Anti-Virus reports these viruses with the prefix "XF/" or "XF97/".

MS Excel 5 or later running on any operating system.

When an infected document is opened the viral macros are copied into a file in the XLSTART directory. This is automatically loaded into other documents when they are opened.

Sophos Anti-Virus reports these viruses with the prefix "XM/" (earlier versions used "Excel").

MS Excel 97 or later running on any operating system.

When an infected document is opened the viral macros are copied into a file in the XLSTART directory. This is automatically loaded into other documents when they are opened.

Some viruses such as XM97/Papa also use mail programs such as Outlook to automatically send infected files to names listed in the address book.

Sophos Anti-Virus reports these viruses with the prefix "XM97/". Prefixes used by other anti-virus companies include "X97M".

A file that will take advantage of design flaws (vulnerabilities) in software in order to take control of a system. The exploit may be used to perform a number of different actions such as downloading worms and Trojans, accessing confidential data or crashing the software (Denial of Service) depending on the nature and severity of the vulnerability.

An incorrect report that a file is infected with a virus.

Sophos's proactive protection technology will identify viruses, Trojans or worms of a particular family with the suffix -Fam or -Gen initially, where the variant is not currently separately identified. Where full analysis is performed, the variant will then be individually named.

Tools that can be used to assist in gaining entry to a network, computer or software program. These are sometimes used by hackers but can also be used legitimately for assessing network security.

Sophos reports these applications with the PUA type "Hacking tool".

A Host Intrusion Prevention System (HIPS) guards against unknown threats. Sophos's HIPS technology uses our anti-virus engine to stop unknown threats by analyzing behavior before code executes.

Sophos Anti-Virus detects the behavior of these files as 'Malicious Behavior' and reports them with the prefix "Mal/".

Java applets

When an infected program (a Java .class file) is run, it looks for other .class files locally. The virus then copies itself into these files, modifying them so that, when they are run in future, the virus receives control first.

Sophos Anti-Virus reports these viruses with the prefix "Java/".

JavaScript scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer.

Sophos Anti-Virus reports these viruses with the prefix "JS/".

JavaScript scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer.

Uses IRC, Outlook or Windows networking functions to email multiple copies of infected files to other people or copy itself across the network.

Sophos Anti-Virus reports these worms with the prefix "JS/".

A computer program designed to be mistaken for a virus. Jokes do not replicate, can be safely deleted and are harmless to a computer. Their aim is to cause alarm, and waste time and resources.

Sophos Anti-Virus reports these files with the prefix "Joke/".

A program that records users keystrokes with the intention of capturing sensitive information such as credit card details.

Keystroke logging is a feature of many pieces of malware such as W32/Sdbot-LM and W32/Spybot-EL. There are also families of dedicated keystroke loggers. Troj/Keylog-AL is a member of one such family.

A computer program that no longer works as a virus for a variety of reasons. Sophos Anti-Virus detects these files so that the inactive virus code can be removed.

Sophos Anti-Virus reports these files with the prefix "Junk/".

Various Linux Platform ELF (Executable and Linkable Format) files.

Infects other executable files using a variety of mechanisms.

Sophos Anti-Virus reports these viruses with the prefix Linux/".

Computers connected to a network running Linux.

Linux worms take advantage of flaws in networking code to gain unauthorised access to remote computers running Linux. Once they have gained access they will begin searching for new machines to infect and are often initially noticed by increased network traffic. They can spread rapidly between computers permanently connected to the internet because they require no user intervention to function.

Sophos Anti-Virus reports these worms with the prefix "Linux/". Prefixes used by other anti-virus vendors include "Unix".

Infects other Macintosh files by a variety of mechanisms.

Sophos Anti-Virus reports these viruses with the prefix Mac/".

Uses the QuickTime AutoPlay feature to copy itself from and to infected diskettes when they are inserted.

Sophos Anti-Virus reports these worms with the prefix "Mac/".

Macromedia Flash files associated with the Flash 5 player.

Typically the virus replicates itself by copying itself to the script at the start of the Flash file.

Malicious behavior describes an executable file that displays characteristics or behavior that are found exclusively within malware and are therefore blocked to prevent likely intrusion, disruption or damage to computer systems.

Sophos uses Behavioral Genotype Protection to identify potentially malicious behavior before it can execute.

Depends on the type of malicious software

Sophos Anti-Virus reports this behavior with the prefix "Mal/".

Malware is a general term for a range of malicious software including viruses, worms, Trojan horses and spyware.

Depends on the type of malicious software

Depends on the type of malicous software

MapInfo.

MapBasic.

Infects the MapInfo application so as to infect other MapInfo Map files.

Sophos Anti-Virus reports these viruses with the prefix "MPB/".

Master Boot Sector (aka Master Boot Record) of hard disks and boot sector of floppy disks.

Master Boot Sector viruses can infect any Intel-compatible PC which is configured to boot from a floppy disk drive.

More secure operating systems such as Windows NT can be infected but may prevent the virus from replicating.

Loads into memory when an infected PC is booted and then infects any floppy disk used in the PC. A PC which boots from an infected floppy disk becomes infected.

If the BIOS settings are changed to prevent the PC booting from the floppy drive then the PC cannot become infected.

There is no standard naming convention for this type of virus.

This prefix is used to denote viruses that infect in the middle of a file rather than at the traditional entry point. Some viruses are reported with this prefix if they are detected at the email gateway and with a different prefix at the desktop.

Sophos Anti-Virus reports these viruses with the prefix "Mid/".

These are executable files which modify SCRIPT.INI file to make IRC distribute copies of themselves.

Sophos Anti-Virus reports these worms with the prefix "mIRC/" or "pIRC/".

A problem which is often erroneously attributed to computer viruses.

systems running Microsoft Command Shell.

When an infected script is run it infects other MSH files

Sophos Anti-Virus reports these viruses with the prefix "MSH/"

Multimedia Messaging Service (MMS), also known as Multimedia Message Service, is a communications technology that allows mobile network users to transmit email, images video clips, and sound files over wireless networks, in addition to short text messages. It is an extension of the Short Message Service (see SMS).

Each detected virus, Trojan and worm, and family of virus, Trojan and worm variants, are each given a name. The programming code in all variants within a family will be similar (it is often copied and only altered slightly) and the effects will usually also be similar.

'Bagle' family includes variants with these names W32/Bagle-A and W32/Bagle-B

MS Office 97 (or later) running on any operating system.

Infects two or more different Office components. Most of them infect Word and Excel but PowerPoint and Project files can also be affected.

Sophos Anti-Virus reports these viruses with the prefix "OF97/".

PalmOS Palm resource (PRC) files.

All known viruses actively search for other Palm resource files to infect.

Sophos Anti-Virus reports these viruses with the prefix "Palm/".

PHP files running under any operating system.

When an infected script is run it infects other PHP files.

Sophos Anti-Virus reports these viruses with the prefix "PHP/".

MS PowerPoint 97 (or later) running on any operating system.

The virus runs when some action occurs and infects other PowerPoint files or the main template (Blank Presentation.pot). New presentations created from an infected template will themselves be infected.

Sophos Anti-Virus reports these viruses with the prefix "PM97/". Prefixes used by other anti-virus vendors include "PP97M".

The prefix in the name of a virus, Trojan or worm explains either what the program does, or which operating system it affects.

See the following prefixes - W32/ and Troj/.

PUA is a term used to describe an application that is not inherently malicious, but is generally considered unsuitable for most business networks. Potentially unwanted applications include adware, dialers, remote administration tools and hacking tools.

MS Publisher 2003 (or later) running on any operating system.

When an infected Publisher document is opened the macro code runs and can copy the original document overwriting other Publisher documents.

Sophos Anti-Virus reports these viruses with the prefix "PU97/". Prefixes used by other anti-virus companies include "PU97M".

Computers with Windows 95/98/Me and Windows NT/2000/XP operating systems.

Registry viruses attempt to modify the contents of the registry.

Sophos Anti-Virus reports these viruses with the prefix "REG/".

Commercial or freely available tools used for remotely accessing and controlling one or more computers.

Sophos reports these applications with the PUA type "Remote administration tool".

A rootkit is a set of software tools designed to be invisible and placed on a computer by a third party. It is used to conceal running processes, files or system data.

A fraudulent business scheme or swindle.

A warning about a possible threat which has been greatly exaggerated.

Short Message Service (SMS) is a service for sending text messages between mobile phones, other handheld devices, and landline telephones. Messages consists of a limited number of alphanumeric characters, and cannot contain images or graphics.

Spyware is a term used to describe a broad set of applications that send information from a computer to a third party without the user's permission or knowledge. Spyware Trojans and spyware worms are Trojans and Win32 worms that also exhibit behaviour attributed to spyware.

A spyware Trojan is a seemingly legitimate computer program designed to disrupt and damage computer activity by sending information from a computer to a third party without the user's permission or knowledge.

Sophos Anti-Virus reports spyware Trojans with the prefix "Troj/".

Computers connected to a network running Windows 95/98/Me and Windows NT/2000/XP/2003 operating systems.

Spyware worm is a term used to describe malware that has the ability to self-replicate without a host program and send information from a computer to a third party without the user's permission or knowledge.

Spyware worms spread using Windows networking APIs (Application Programming Interfaces), email, or by exploting vulnerabilities of the operating system or another application. They have identical spreading capabilities to Win32 worms but they also exhibit behaviour attributed to spyware.

Sophos Anti-Virus reports spyware worms with the prefix "W32/".

The suffix in the name of a virus, Trojan or worm denotes the variant. It is the part of the name that follows a hyphen and will be a letter or letters of the alphabet.

Suspicious behaviour comprises characteristics of running processes (ie. post-program execution) which are deemed to be predominantly, but not exclusively, related to malware.

Suspicious files are those that have properties or carry out activities which are characteristic of, but not exclusive to, samples of malware.

Devices running Symbian OS.

Infects other Symbian devices using bluetooth.

Sophos Anti-Virus reports these worms with the prefix "Symb/".

Commercial or freely available software whose primary function is to monitor the use of the local computer.

Sophos reports these applications with the PUA type "System monitor".

A file that is non-viral but causes anti-virus software to react to it, as if it were a virus. Test files are used primarily as a way for network administrators to check that their anti-virus software has been correctly deployed. Sophos makes the EICAR test file (EICAR stands for European Institute for Computer Anti-virus Research) available to its customers for this purpose.

A seemingly legitimate computer program that has been intentionally designed to disrupt and damage computer activity. Trojans are sometimes used in conjunction with viruses. A backdoor Trojan is a program that allows other computer users to gain access to your computer across the internet.

Sophos Anti-Virus reports these viruses with the prefix "Troj/".

A trusted relay is a known email server that sends or forwards emails to PureMessage. Typical examples of trusted relays include an ISP's SMTP server and any email relays located on a local network which are upstream to the PureMessage server(s). These servers can be trusted because they are highly unlikely to be the source of spam email. It is important to understand that servers on the trusted relay list will still relay spam email but are unlikely to be the originating source of the spam.

Computers connected to a network running Unix.

Unix worms take advantage of flaws in networking code called buffer overflows to gain unauthorised access to remote computers running Unix. Once they have gained access they will begin searching for new machines to infect. They can spread rapidly between computers permanently connected to the internet because they require no user intervention to function.

Sophos Anti-Virus reports these worms with the prefix "Unix/".

An unspecified PUA is an application that does not fit within the other PUA types of dialers, adware, and hacking tools. These applications are not inherently malicious, but are generally considered unsuitable for most business networks.

A computer program that copies itself. Often viruses will disrupt computer systems or damage the data contained upon them. A virus requires a host program and will not infect a computer until it has been run. Some viruses spread across networks by making copies of themselves or may forward themselves via email. The term 'virus' is often used generically to refer to both viruses and worms.

A warning about a non-existent virus. Usually urge users to forward them to everyone they know.

Visual Basic scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer.

Infects other executable files by a variety of mechanisms. Some viruses such as VBS/Dismissed-B use Outlook to distribute infected files by email.

Sophos Anti-Virus reports these viruses with the prefix VBS/".

Visual Basic scripting files, HTML files with embedded scripts, Microsoft Outlook and Internet Explorer.

Uses IRC or Outlook to email multiple copies of infected files to other people.

Sophos Anti-Virus reports these worms with the prefix "VBS/".

A telephone service that uses the internet as a global telephone network.

Wireless Fidelity (commonly known as Wi-Fi), is a trademark of the Wi-Fi Alliance, which is generally used to refer to any type of 802.11 high-frequency wireless network. Wi-Fi networks are commonly used by many businesses, agencies, schools and homes, and these networks can be accessed by unauthorized users unless protection is in place.

Any Windows operating system that uses the PE executable file format on an ia32 processor, including Microsoft Windows 95/98/Me, NT, 2000, etc.

Infects other executable files by a variety of mechanisms.

Some viruses such as W32/ExploreZip also use Outlook or other programs to distribute infected files by email.

Sophos Anti-Virus reports these viruses with the prefix "W32/"(earlier versions used "Win32").

Computers connected to a network running Windows 95/98/Me and Windows NT/2000 operating systems.

Win32 worms spread using Windows networking APIs, MAPI functions or email clients such as Microsoft Outlook. They may create email messages with the worm program attached or attach themselves to outgoing email messages. A message created by a worm often suggests that the recipient should launch the attachment to see something interesting or important.

Sophos Anti-Virus reports these worms with the prefix "W32/". Prefixes used by other anti-virus vendors include "Win32".

MS Windows 95/98/Me PE (Portable Executable) files.

Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect.

Some viruses such as W95/Babylonia also distribute infected files by email.

Sophos Anti-Virus reports these viruses with the prefix "W95/"(earlier versions used "Win95").

MS Windows 98 PE (Portable Executable) files.

Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect.

Sophos Anti-Virus reports these viruses with the prefix "W98/" (earlier versions used "Win98").

MS Windows NT or 2000 PE (Portable Executable) files.

Infects other executable files using a variety of mechanisms.

Sophos Anti-Virus reports these viruses with the prefix "WNT/" (earlier versions used "WinNT").

Infects other executable files. Some viruses become memory resident and infect other programs when they are run. Others actively seek out other files to infect.

Sophos Anti-Virus reports these viruses with the prefix "W2K/".

Any version of MS Word running on any operating system.

Word Basic macro language (used in Word 6 and 95).

When an infected document is opened the viral macros are copied to the global template (usually NORMAL.DOT). Other documents automatically load the viral macros from this file when they are opened.

Sophos Anti-Virus reports these viruses with the prefix "WM/" (earlier versions used "Winword").

MS Word 97 or later running on any operating system.

Word 97 macro Trojans are documents which, when opened, have undesirable effects on the system such as deleting files or compromising system security.

Sophos Anti-Virus reports these viruses with the prefix "WM97/". Prefixes used by other anti-virus companies include "W97M".

MS Word 97 or later running on any operating system.

Some of these viruses copy the viral macros into the global template (usually NORMAL.DOT) in the same way as Word macro viruses. This method of transmission does not work with MS Office 97 SR1 or later.

Most of the recent viruses copy the viral macros into another file and modify the global template to import them when another document is opened.

Sophos Anti-Virus reports these viruses with the prefix "WM97/". Prefixes used by other anti-virus companies include "W97M".

MS Word 97 or later running on any operating system.

Uses mail programs such as MS Outlook to automatically send infected files to names listed in the address book. Many of these worms also replicate is the same way as Word 97 macro viruses.

Sophos Anti-Virus reports these worms with the prefix "WM97/". Prefixes used by other anti-virus companies include "W97M".

A type of virus that does not need a host program. It has the ability to self-replicate and often will use email and the internet to spread.

Some of these viruses copy the viral macros into the global template (usually NORMAL.DOT) in the same way as Word macro viruses. The majority of these viruses are upconverts of existing Word 97 viruses. Most payloads are however Intel specific and do not work.

Sophos Anti-Virus reports these viruses with the prefix "WM97/". Prefixes used by other anti-virus companies include "W97M".

Computers with Windows 95/98/Me and Windows NT/2000/XP operating systems.

Windows Scripting Host is the framework under which JavaScript, Visual Basic Script and ActiveX components execute. A virus, worm or Trojan may use multiple components within this framework.

If a virus, worm or Trojan uses multiple components within the Windows Scripting Host framework Sophos Anti-Virus reports them with the prefix "WSH/".

A zero day threat is a new threat released in the wild before threat detection signatures are available to protect against it. Fast moving threats such as internet worms can cause huge amounts of damage at zero day.