CA Global Security Advisor Glossary

A virus that infects boot sectors. Refer to Boot Sector Infector for more details.

A shortened form of 'robot'. Bot describes a non-human automated program that may perform functions or tasks. These tasks often involve the exchange of information. Bots can operate on a variety of platforms such as IRC.

A number of bots grouped to perform a task or a unique group of tasks, often cooperatively. The term botnet was created by combining the words "robot network".

Companion infection methods that do not involve replacing the target program defeat simple integrity checkers that only look for modifications to existing programs. For this reason, good integrity checkers also monitor the addition of new program files to a system. (c.f. Appender, Cavity Infector, Overwriter, Prepender)

By late 1999, code from several DDoS systems had been captured from compromised machines. These were mostly the agents (the part that implements the attack service), but a few examples of masters - the component that keeps track of the agents availability and sends the commands to begin and end an attack - were also captured. At the time, some networks of these DDoS agents were discovered to contain several hundred active agents. Although most of these systems have been designed and written for Unix (and particularly Linux) machines, some implementations for PCs also exist. (Refer to the DDoS entry in the virus encyclopedia for more details.)

This is measured based on the amount of damage that a malicious program can possibly achieve once a computer has been infected. These metrics can include attacks to important operating system files, triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, compromising security settings, and the ease with which the damage may be fixed. CA uses this metric to measure the potential damage that a malware's payload can deliver.  This metric is given the least weight, in combination with Wild and Pervasiveness metric, to calculate the overall threat assessment.

2. Denial of Service (although the acronym DoS is somewhat preferable here to avoid confusion).

A downloader is a program that automatically downloads and runs and/or installs other software without the user's knowledge or permission.

In addition to downloading and installing other software, it may download updated versions of itself.

A downloader may install itself in a manner that allows it to constantly check for updated files. For example, it may add an entry to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

A type of ROM whose contents are non-volatile but modifiable through the application of appropriate chip reprogramming voltages. Before reprogramming an EPROM, it has to be exposed to source of ultra-violet light. Some early 'updateable BIOSes' were shipped on EPROM chips, but EEPROMs became more popular. More recently, flash memory has become the preferred non-volatile memory technology for holding BIOSes.

Fortunately, some BIOSes are write-protected, requiring special measures be taken to allow flash write enabling to be activated (such as opening the case and setting jumpers or switches). However, testing reveals in many systems that appear to have such a feature, it often does not work. To date, viruses that attempt to re-flash a victim's BIOS and 'succeed' (in that the contents of the BIOS change) all result in the 'trashing' of the BIOS, rendering the victim machine unbootable. That is, unbootable as in you cannot put a special recovery diskette in the floppy, bootup and run a program to re-flash a good copy of the BIOS program back into the flash memory chip. That is, unbootable as in all that happens is the power supply and CPU cooling fans, and the hard drives, spin up because that's what they do when power is applied. Specialist equipment is needed to re-program the flash chip once it is removed from the mainboard, and as more mainboard designs move to surface-mount flash chips rather than socketed ones, that option is not available for an increasing number of machines.

For example, Word for Windows looks for the file 'Normal.dot' in certain directories (while the Macintosh version looks for a file of Word Template type named 'Normal' in matching folders) and loads it into its environment without warning. Should a normal template contain any auto macros that should run when such a template is loaded, they are run, any menu or shortcut customizations it contains are applied, and any system macros or standard event handler macros in the template will become active, running when the corresponding Word command or event occurs. Word and Excel both support a 'startup' directory, although in slightly different ways. Word will open and integrate any template files stored in its startup directory into its runtime environment, just as it integrates the contents of the normal template. Excel opens and integrates any standard Excel file type stored in its startup directory into its runtime environment. Registered Add-Ins are also loaded when the application starts and if they are templates, will be loaded from wherever they are registered. Thus, for Word, the normal template, any templates in its startup folder and any Add-Ins loaded as templates are all 'global templates', with any customizations and macros they contain becoming available throughout the Word environment.

Infection of global templates is thus an attractive proposition to macro viruses written for such application environments, as it provides a simple form of 'residency'. This will improve its likelihood of infecting more documents and thus improve its chances to spread.

The term 'global template' is also often, but incorrectly, used to mean 'Word's normal template'. This is almost certainly a carryover from earlier versions of Word's macro language, where the normal template could often be referred to via the referent 'Global:', rather than by its full path and name. Even in many of those versions of Word, this usage was, at best, sloppy because of the possibility (if not the actuality) of other 'global' templates.

For example, various kinds of unusual settings in the headers of PE (Windows 32-bit executable) files may be strongly indicative of virus-related 'tampering'. If it is also known that such 'odd' headers are never produced by any PE compiler/linker combinations, detecting such things and flagging the files to the user as 'suspicious' may be a good heuristic for detecting certain kinds of new PE infecting virus that the scanner does not yet detect as a known virus.

Similarly, code analysis of a VBA macro can, in most cases, quickly and reliably determine whether the macro has code that copies itself to other documents and templates. However, that alone is not sufficient as a macro virus heuristic as it is common for legitimate macro programs to have installation routines that are themselves macros that copy other macros around. The designer of a good heuristic macro virus detector will attempt to prevent raising false positive alarms on such macro installation packages by requiring the heuristic detector to find more than just code that copies a macro to a global template (the usual installation location for such macro programs). Careful tuning of the importance (or 'weight') attached to various virus-like features can greatly reduce the rate of such false positives. An approach that combines positive and negative heuristics is generally considered best. A positive heuristic is a programmatic feature the scanner considers increases the likelihood it is looking at a virus and a negative heuristic is a feature that reduces that likelihood.

Often scanners that include heuristic detection capabilities have these disabled by default. This can be because they add extra overhead to the scanning process, but it can also be because the heuristics are fairly 'liberal'. Particularly in the latter case, you should only enable the scanner's heuristic detection if a new virus is suspected, as it's results may further focus your attention on the likely affected files. Heuristics should also be enabled and set to their highest levels on e-mail gateway scanners and other 'interception points' if there is an unavoidable business need to allow infectible file types into an organization. Some scanners with heuristic detection abilities allow the user to set the 'sensitivity' of the heuristics and again, these should be set to highest sensitivity for e-mail gateway scanners.

Computer Associates Virus encyclopedia contains current information regarding hoaxes. Should you receive any unconfirmed virus warnings you can substantiate them by visiting: the hoax section of our encyclopedia.

So, what is a joke program? Joke programs are usually seen as programs that do no real damage but in some way attempt to raise the program user's concern for the contents of their computer. A classic example is a program that suggests the user's hard drive is about to be reformatted unless they click the 'Cancel' button in time and then starts a ten-second countdown - when the user tries to click the 'Cancel' button, the button jumps away from the cursor. If left to run until the countdown completes, a message is displayed explaining that it was dangerous to run a program sent via e-mail. Although such programs do not perpetrate any direct harm against the user, they can represent a serious risk. The problem that many such 'harmless' joke programs introduce is that some users panic and, decide that rather than risking the loss of their files, they would be better off turning their machine off. In so doing, they will lose any unsaved changes to current work and may corrupt the file system on their machine, causing even greater losses.

While few users tend to think of 'documents' as capable of being infected, any application which supports document-bound macros that automatically execute or usurp standard application functions is a potentially welcoming platform for macro viruses. By the late 1990s, documents had become much more widely shared than diskettes (assisted by the extensive adoption of networking technologies and particularly Internet e-mail) and document-based viruses dominated prevalence statistics. This seems likely to continue for the early years of the 21st century.

An important distinction between mass mailers and slow mailers, at least in terms of threat assessment, is the scale or rate at which they send infective messages. In sending a large number of messages (and hence copies of themselves) at once, mass mailers aim to achieve rapid, widespread distribution. Presumably their writers hope enough recipients of these messages will be lulled into running the attachments (or simply opening the messages in the case of HTML-embedded script viruses) to ensure the virus' distribution outstrips spread of news about the outbreak and/or updates to virus scanners and other countermeasures. With the apparently ever-growing number of people on the Internet through the late 1990s, there was a continuous supply of fresh, very naïve, inexperienced users to be fooled into double-clicking what they should not. Through the use of 'obvious' social engineering tricks, viruses such as VBS/VBSWG.J had a fair shot at their fifteen minutes of fame.

Mass mailers often have the '@mm' suffix to their names, making the additional threat they may pose readily identifiable to the informed (although Computer Associates do not generally use this naming convention). Mass mailers are often referred to as 'worms', but this usage is not entirely accepted, and as 'e-mail worms' (perhaps to distinguish them from 'real worms').

MUTual EXclusion object. Mutex is a program object that allows multiple threads to share the same resource. Any thread that needs the resource must lock the mutex from other threads while it is using the resource. The mutex is unlocked when it is no longer needed or the thread is terminated. The difference between mutex and semaphore is that a mutex is owned by the thread which locked it (that is, only the process which locked the mutex can unlock it). Whereas a semaphore can be changed by another thread or process.

NAT was created as one of the responses to the IPv4 address shortage. Using NAT allows a private or local network to use a different addressing scheme to that of the Internet, and yet still communicate sensibly with the Internet. It also translates all internal network addresses by forwarding only the IP address of the NAT device when traffic leaves the private network. For example, when a message is sent from a machine internal to the network, say with the private IP address of 10.10.10.10, it is stopped by the device and its private IP address is changed to a public address (say, 155.35.171.12) that can then be routed correctly on the Internet.

Some antivirus researchers consider network creepers to be worms

A partition table is a 64 byte data array located at offset 1BEh of master boot records and the boot sectors of extended partitions. Each table has space for only four 16 byte partition definition entries. Each such entry records such data as the beginning and ending sector of the partition, a partition type indicator byte and whether the partition is marked 'active' (or 'bootable'). Beginning and ending sector locations are recorded in absolute CHS terms (relative to any drive geometry translation the BIOS may be set to use).

As the partition table, per se, is just data it cannot be infected. Occasionally the term 'partition virus' or 'partition table virus' is seen or heard. It is a misconception and what is meant is usually a boot virus that infects MBRs.

Pervasiveness refers to a virus' potential to spread. Hence, a worm that has the ability to send itself out to a large number of victims is given a high pervasiveness rating, while a boot sector virus that spreads via 'sneakernet' (i.e. - by the manual sharing of floppy disks), is given a low pervasiveness rating. Varying pervasiveness ratings are often allocated to specific types of malware. CA uses this metric to measure a malware's potential to spread to other computers.  This metric is given the second highest weight, in combination with Wild and Destructiveness metric, to calculate the overall threat assessment.

There are four levels of pervasiveness that can be allocated to a virus in the Encyclopedia:

• None 
• Low
• Medium
• High

None
This rating is given to trojans, hoaxes and in some cases, viruses that may not function as intended (and fail to replicate). Trojans and hoaxes must be maliciously or otherwise sent to potential victims. They do not have the ability to self-replicate; and generally appear in the encyclopedia with a pervasiveness rating of 'N/A' (i.e. - this characteristic is not applicable). Examples include Win32.Butano, W97M/MadCow.A:intended and the Good Times hoax.

Please Note: 'N/A' may also used in encyclopedia entries where a virus' pervasiveness rating is unavailable.

Low
This rating is often given to 'traditional viruses'. This type encompasses the majority of macro viruses and boot sector viruses. These viruses have the capacity to replicate by themselves and require no further human intervention to spread from file to file in an infected PC. However, in order to spread from PC to PC, they hide in floppy disk boot sectors and office files such as documents and spreadsheets that may be shared among users. The limitation that they must be manually sent out or shared in order to infect other PCs, means that they will generally be given a 'low' pervasiveness rating. Examples of such viruses include W97M/Bablas.A, WM/Concept.A and Michelangelo.

Medium
This rating is given to viruses, such as mailers (or slow mailers) that use one or more of the following techniques for distribution:

• Send only one 'infected' message at a time
• Occasionally send small batches of infected messages (for example, sends itself out to the first 10 addresses in the Microsoft Outlook address book)
• The virus may have the capacity to spread out to many users, but utilizes a very specific channel (such as IRC) which will limit its potential for distribution
• Runs its distribution mechanism only once (as opposed to, say, each time the PC is started)
• Has the ability to spread to large numbers of users at one time, but the infection process is so obvious to even the most naïve of users, that it will rarely run without being interrupted

Examples from our encyclopedia include Win32.Funso, Win32.SQL and Win32.Annoying.

High
This rating is given to viruses that can distribute themselves with either great speed or, from a virus writer's perspective- success. This category of pervasiveness is often given to worms and mass-mailing viruses. Malware with a high pervasiveness rating often use one or more of the following techniques:

• Utilizes more than one method of distribution (say by sending itself to all addresses in the Outlook address book, and by spreading through open network shares)
• Performs its distribution process repeatedly (every time the PC is rebooted or at a specific time every day)
• Performs its distribution process in a way that is completely hidden from the user and therefore more likely to run repeatedly without being detected
• Uses 'social engineering' tricks successfully to prompt users to run infected attachments
• Exploits either one or more vulnerabilities in widely distributed software applications (for example - Microsoft Windows)

Examples from our encyclopedia include Win32.Nimda.A, Win32.Badtrans.29020, VBS.ILoveYou.A, W97M/Melissa.A and JS/Kak.A.

The simplest approach to not having a constant decryptor was for the virus writer to produce several implementations of the decryption algorithm and slot just one of those forms into the small unencrypted area of each replicant. A very similar method was to have several different encryptor/decryptor pairs, randomly selecting among them at infection time. The very simplest form of this approach employs just two forms of the decryption code or two encryption/decryption pairs and thus is sometimes referred to as bimorphism. More complex variations on this approach involve more than two forms, but still a number fixed by the fact that the code for each decryptor or encrypt/decryptor pair is present in the virus' code. Whale was the first example of this approach, carrying 30 encryptor/decryptor pairs in its code. Aside from adding some overhead to analyzing the virus, such approaches were still not difficult for scanners to deal with - all the scanner developers had to do was add a scan string for each decryptor.

True polymorphism, however, requires more complexity than simply selecting from a group of constant encryptor/decryptor pairs. Viruses in the V2Px family were the first truly polymorphic viruses, employing such techniques as inserting a variable number of 'do nothing' or 'noise' instructions between the 'viral' instructions, interchanging equivalent but different instructions, and swapping code blocks where the order of execution of the blocks was not important to the overall effect of the code. Such code permutations could be applied to all of a virus' code or just to the decryption routine of an encrypting virus.

One of the most sophisticated forms of polymorphism at the time, in some ways setting the standard against which subsequent polymorphs were judged, was the 'Mutation Engine' (or MtE). It was distributed in the form of an object module which could be linked to the code of a virus body (the code responsible for replication), making that virus polymorphic. More recently, polymorphic viruses have 'benefited' from the advance of 32-bit computing, with some polymorphic engines theoretically capable of reproducing their host virus into 4 billion different forms. Scanning technology has obviously had to evolve well past simple string scanning to deal with such complexity while not labeling every other 'innocent' executable a virus too.