Glossary of Terms

@m
Signifies the virus or worm is a "mailer". An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.

@mm
Signifies the virus or worm is a "mass-mailer". An example is Melissa, which sends messages to every email address in your mailbox.

Also known as
These are names that other antivirus vendors use to identify this threat.

Bug
A programming error in a software program which can have unwanted side effects. Examples: Various web browser security problems, Y2K software problems.

Category: Hoax
Usually an email that gets mailed in chain letter fashion describing some devastating highly unlikely type of virus, you can usually spot a hoax because there's no file attachment, no reference to a third party who can validate the claim and the general 'tone' of the message.

Category: Joke
A harmless program that causes various benign activities to display on your computer (e.g., an unexpected screen-saver).

Category:Trojan horse
A program that neither replicates or copies itself, but does damage or compromises the security of the computer. Typically it relies on someone emailing it to you, it does not email itself, it may arrive in the form of a joke program or software of some sort.

Category: Virus
A program or code that replicates, that is infects another program, boot sector, partition sector or document that supports macros by inserting itself or attaching itself to that medium. Most viruses just replicate, a lot also do damage.

Category: Worm
A program that makes copies of itself, for example from one disk drive to another, or by copying itself using email or some other transport mechanism. It may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.

Causes system instability
This payload might cause the computer to crash or to behave in an unexpected fashion.

Compromises security settings
This payload might attempt to gain access to passwords or other system-level security settings. It might also search for openings in the Internet processing components of the computer to install a program on that system that could be controlled remotely by someone over the Internet.

Damage
The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and ease by which the damage might be fixed.

Degrades performance
This payload slows computer operations. This might involve allocating available memory, creating files that consume disk space, or causing programs to load or execute more slowly.

Deletes files
This payload deletes various files on the hard disk. The number and type of files that might be deleted vary among viruses.

Distribution
This component measures how quickly a threat is able to spread itself.

Encrypted Virus
A virus that uses encryption to hide itself from virus scanners. That is, it jumbles up it's program code to make it difficult to detect.

Geographic distribution
This measures the range of separate geographic locations where infections have been reported. The measures are high (global threat), medium (threat present in a few geographic regions), and low (localized or non-wild threat).

Infection length
This is the size, in bytes, of the viral code that is inserted into a program by the virus. If this is a worm or Trojan horse the length represents the size of the file.

Large scale e-mailing
This type of payload involves sending emails out to large numbers of people. This is usually done by accessing a local address book and sending emails to a certain number of people within that address book.

Mobile Code
Code (software) that is transferred from a host to a client (or another host computer) to be executed (run). When we talk about malicious mobile code we may use a Worm as an example.

Modifies files
This payload changes the contents of files on the computer and might corrupt files.

Name of attachment
Most worms are spread as attachments to emails. This field indicates the usual name or names that the attachment might be called.

Number of countries
This is a measure of the number of countries where infections are known to have occurred.

Number of infections
This measures the number of computers that are known to be infected.

Number of sites
This measures the number of locations with infected computers. This normally refers to organizations such as companies, government offices, and the like.

Payload
This is the malicious activity that the virus performs. Not all viruses have payloads, but there are some that perform destructive actions.

Payload trigger
This is the condition that causes the virus to activate or drop its destructive payload. Some viruses trigger their payloads on a certain date. Others might trigger their payload based on the execution of certain programs or the availability of an Internet connection.

Polymorphic Virus
A virus that has the ability to change its byte pattern when it replicates thereby avoiding detection by simple string scanning techniques.

Ports
This field indicates the TCP/IP ports that the threat might attempt to use.

Releases confidential information
This payload might attempt to gain access to important data stored on the computer such as credit card numbers.

Removal
This measures the skill level needed to remove the threat from a given computer. Removal sometimes involves deleting files and modifying registry entries. The three levels are difficult (requires an experienced technician), moderate (requires some expertise), and easy (requires little or no expertise).

Retrovirus
A computer virus that actively attacks an anti-virus program or programs in an effort to prevent detection.

Sequence number
Sequence numbers are used only by the Norton AntiVirus Corporate products, and are an alternate method of representing the date of the latest definitions or required definitions. Sequence numbers are assigned to signature sets sequentially, and they are always cumulative. A signature set with a higher sequence number supersedes a signature set with a lower sequence number.

Shared drives
This field indicates whether or not the threat will attempt to replicate itself through mapped drives or other server volumes to which the user might be authenticated.

Size of attachment
This field indicates the size of the file that is attached to the infected email.

Subject of email
Some worms spread by sending themselves to other people through email. This field indicates the subject of the email that is sent by the worm.

Target of infection
This field indicates the types of files that might be infected by the virus.

Technical description
This section describes the specific details of the infection such as registry entry modifications and files that are manipulated by the virus.

Threat assessment
This is a severity rating of the virus, worm or Trojan horse. It includes the damage that this threat causes, how quickly it can spread to other computers (distribution), and how widespread the infections are known to be (wild).

Threat containment
This is a measure of how well current antivirus technology can keep this threat from spreading. As a general rule, older virus techniques are generally well-contained; new threat types or highly complex viruses can be more difficult to contain, and are correspondingly more a threat to the user community. The measures are high (the threat is well-contained), medium (the threat is partially contained), and low (the threat is not currently containable).

Time stamp of attachment
This field indicates the date and time of the file attachment.

Virus definitions date
This field indicates when virus definitions that include protection for this virus were publicly available.

Wild
The wild component measures the extent to which a virus is already spreading among computer users. This measurement includes the number of independent sites infected, the number of computers infected, the geographic distribution of infection, the ability of current technology to combat the threat, and the complexity of the virus.