A
-
ActiveX controls
ActiveX controls are components that add dynamic and interactive features to Web pages. With ActiveX tools, multimedia effects, animation, and functional applications can be added to Web sites. HouseCall, Trend Micro's online virus scanner is an example of the application of ActiveX.
ActiveX controls are typically installed with user permission. However, security measures can be circumvented. In some instances, ActiveX components in Web pages are able to run automatically when the Web pages are opened. Visiting users are also sometimes tricked into accepting unwanted ActiveX controls. The unauthorized installation and execution of ActiveX controls can open opportunities for malicious code to install components or to make modifications on visiting systems.

Address Bar Spoofing
Alteration of a browser’s address bar to display a legitimate address. This is done by running a script that removes the browser’s address bar and replaces it with a fake one, which is made up of text or images.

Adware
Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and, in some instances, the degradation in either network connection or system performance.
Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software.
Adware are also often installed in tandem with spyware programs. Both programs feed off of each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profiles.

Affected file type
Malware and grayware may arrive as files of a certain type. The term “affect” here could mean the file format (eg. PE or Win32) that the malware or grayware comes as, or the formats that it attaches to in the case of file infectors.

Affected software
Affected software, Platform and Systems Affected indicate the area(s) affected by a particular threat, whether it is malware, grayware, or vulnerabilities. This list contains the operating systems or applications that need to be installed in the user’s system before the threat performs its malicious rountines. It is known that a threat may behave differently across different platforms.

Aliases
Different vendors often have their own approaches towards detection, whether it involves malware, grayware, or vulnerabilities, which can result in different naming conventions. The aliases field in the Virus Encyclopedia, Spyware/Grayware and Vulnerabilities pages indicate other names used to refer to the same threat.

Applications
Applications refer to programs or files often sold commercially.
However, they are also sometimes installed by malware or other grayware and are so powerful in features that they can be misused by users with malicious intent.
Because some of the applications can pose as security risks to the systems or networks, it is important for users to be fully aware of their presence.
Many legitimate applications are also unknowingly pushed onto computer systems by scrupulous marketers, distributors, and affiliates without the user's consent or knowledge.

Grayware
Grayware is Trend Micro's general classification for applications that have annoying, undesirable, or undisclosed behavior.
Grayware applications do not fall into any of the major threat (ie. Virus or Trojan horse) categories as they are subject to system functionality, as well as user debate.
Some items in the Grayware category have been linked to malicious activities, while others are used to provide users with targeted information in terms of product announcements.
Organizations dealing with sensitive information should be generally alarmed by the capability of any application with data gathering functionality.
The majority of grayware fall into the following classes:
Adware
Applications
Data Miners (Tracking Cookies)
Dialers
Hacking tools
Joke programs
Keyloggers
Password cracking applications
Remote Access Programs
Spyware

Grayware size :This field indicates the size (or size range) of the grayware's code in bytes.

Hacking tools
Hacking tools are programs that generally crack or break computer and network security measures. Hacking tools have different capabilities depending on the systems they have been designed to penetrate. System administrators have been known to use similar tools - if not the same programs - to test security and identify possible avenues for intrusion.

Infection Channel
The infection channels listed for a particular malware on the Virus Encyclopedia enumerate the possible avenues of distribution.

Information exposure
A factor derived from the characteristics of the program, application, and/or files. Some spyware or other forms of grayware are known to steal confidential information, such as personal data, passwords, personal user habits or psychographic profile.
In-the-wild

Java applets
Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. They are small, portable Java programs embedded in HTML pages and can run automatically when the pages are viewed. Malware authors have used Java applets as a vehicle for attack. Most Web browsers, however, can be configured so that these applets do not execute - sometimes by simply changing browser security settings to "high."

Joke programs
Joke programs are considered relatively harmless and are often designed to annoy or make fun of users. They do not infect files, cause damage, or spread to other systems.
Many joke programs are designed to cause unnecessary panic - especially those that cause computers to behave as if something has been damaged. Abnormal system behaviors caused by joke programs include the closing and opening of the CD-ROM tray and the display of numerous message boxes.

Keyloggers
Keyloggers are programs that log keyboard activity. Certain malware employ these programs to gather user information. There are also legitimate keylogging programs that are used by corporations to monitor employees and by parents to monitor their children. Keyloggers usually catch and store all keyboard activity - leaving a person or another application to sort through the keystroke logs for valuable information like logon credentials and credit card numbers.

Kits
Kits are malware-generating applications that often provide users the option to create customized malware. Most kits can produce multiple variations of a malware. Many have been used to generate new variants of existing worms. Antivirus scanners should be capable of detecting kits and their spawn.


Macro viruses
During the late 1990s and early 2000, macro viruses were the most prevalent viruses. Unlike other virus types, macro viruses are not specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications.
Popular applications that support macros (such as Microsoft Word and Microsoft Excel) are the most common platforms for this type of virus. These viruses are written in Visual Basic and are relatively easy to create. Macro viruses infect at different points during a file's use, for example, when it is opened, saved, closed, or deleted.

Malware
A malware is a program that performs unexpected or unauthorized, but always malicious, actions. It is a general term used to refer to both viruses and Trojans, which respectively include replicating and non-replicating malicious code.

Malware Advisories
Trend Micro issues advisories to inform users of newly discovered malware threats that are either already prevalent or will likely spread. Advisories may also cover proof-of-concept malware and old malware that have recently become newsworthy.
The Malware Advisories tab on the Security Information page is a listing of current and significant malware threats with corresponding risk ratings, the dates when they are incorporated into the list, and the pattern files needed to detect them.

Malware Related [Trojan/Spy ware]
Some malware may arrive from an email or execute from a malicious Web site. Once installed, it modifies the Windows Hosts file in such a way that whenever the user visits certain legitimate business sites, such as banks or credit card companies, the browser will be redirected to a spoofed Web site.
Some are memory-resident, meaning they monitor the affected user's Internet browsing activities and wait for the user to visit certain legitimate business sites, such as banks or credit card companies, where they activate.
When the title bar of any window contains certain strings related to the targeted business is activated, a bogus logon window is displayed that is used to trick the user into entering personal account information. Once gathered, the personal information is sent to the malicious user via email.

Malware size
This field indicates the size (or size range) of the malware's code in bytes. For file infectors, this typically indicates the size of the infecting code. Older file infecting viruses are often given names based on their file size to distinguish variants from the same malware family.

Malware-related hoaxes
Malware-related hoaxes are warnings that contain incorrect information about malware or computer system events. These warnings often describe fantastical or impossible malware program characteristics meant to trick users into performing unwanted actions on their computers. Malware-related hoaxes typically reach users as email and often suggest that users forward them, resulting in a waste of time and bandwidth.

Memory-residency
Memory-residency is the ability to stay in computer memory after execution and continuously run. This capability is generally expected of certain malware types, specifically backdoors, which stay in memory to await commands. Certain file infectors also stay in memory to infect files as they are opened; while some worms stay in memory to continually send email.
Programs that stay in memory are generally referred to as memory-resident. The files related to these running programs cannot be modified, deleted, or moved unless they are terminated.

Multi-partite viruses
Multi-partite viruses have characteristics of both boot sector viruses and file infecting viruses.

NE
NE refers to New Executable, which is the standard Windows 16-bit executable file format. Windows 16-bit viruses are detected by Trend products as Network

Firewall
A network firewall protects a computer network from unauthorized access and is often considered the first line of defense in protecting a computer network against outside threats. On most configurations, data packets entering or leaving a network pass through a firewall, which examines each packet and drops those that do not meet specified criteria. Network firewalls may also be configured to limit how internal users connect externally.
Firewalls, in general, can be implemented as hardware, software, or a combination of both.

Network topology
Topology refers to the shape of a network, or a network's layout, and can be either physical or logical. A network's topology determines how its nodes are connected and how they communicate. The five most common network topologies are Mesh, Star, Bus, Ring, and Tree.

Network viruses
A network virus is a self-contained program (or set of programs) that can spread copies of itself or its segments across networks, including the Internet. Propagation often takes place via shared resources, such as shared drives and folders, or other network ports and services. Network viruses are not limited to the usual form of files or email attachments, but can also be resident in a computer's memory space alone (often referred to as memory-only worms).
In many cases, network viruses exploit vulnerabilities in the operating system or other installed programs. Some existing network viruses have the ability to spread themselves via legitimate network ports, such as port 80 (HTTP), 1434 (SQL), or 135 (DCOM RPC).
Once a network virus infects a new system, it often searches for other potential targets. It achieves this by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus will attempt to infect the other system as well.
Some network viruses also have payloads, such as denial of service (DoS) attacks. When such an attack is carried out, infected computers will attempt to overwhelm the target system until it is unable to function properly. Example: The MSBLAST virus carried out a denial of service attack against the URL windowsupdate.com.
The most notorious network viruses are CodeRed, Nimda, SQLSlammer, and MSBlast.
CodeRed spreads as a series of packets in system memory via network port 80 (http) by exploiting a vulnerability hole (MS01-033) in Microsoft IIS (Internet Information Service).
Nimda spreads via network port 80 (http) by exploiting a vulnerability hole (MS00-078) in Microsoft IIS (Internet Information Service). Nimda is considered a blended threat, since it also has the ability to spread itself across the network via shared drives and email attachments.
SQLSlammer spreads as a series of packets in system memory via UDP network port 1434 (SQL) by exploiting a vulnerability hole in Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE).
MSBlast spreads via network port 135 (DCOM RPC) by exploiting a vulnerability in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. It also uses several other network ports (UDP 69, TCP 4444) during its propagation.

NSLookup
Displays information from Domain Name system (DNS) name servers. Given an IP address or a DNS address, it will look up and show the corresponding DNS or IP address.

Password
A password is a character set used to control access to computers systems and files. The use of strong passwords can be critical to securing computer systems as hackers and malware have been known use relatively effective password cracking methods to break through password-protected systems.
Password cracking applications
Password cracking applications are programs that are designed to crack through password-protected systems. Most password cracking applications use a long list of passwords and user names - accessing target systems using the list contents or combinations of the contents until successful.
Although password cracking is generally illicit, many system administrators regularly run password crackers to test passwords employed by network users.

Pattern file
The pattern file is a protection database that needs to be updated consistently, so as to contain the signature of latest threats. The pattern file works hand in hand with the scan engine module, which enables Trend Micro products to detect known threats in a user’s system or network.

Pattern release date
The Pattern Release Date on Trend Micro’s Security Information page indicates the date when a specific pattern file was released.

Payload
The term payload refers to an action that a malware or grayware performs, apart from its main behavior. For example, payloads for a worm include all other actions it performs apart from its propagation routines.
Payloads can range from something that is relatively harmless, like displaying messages or ejecting the CD drive, to something destructive, like deleting the contents of a hard drive.


PE
PE (Portable Executable) is the standard Win32 executable file format..

Phishing
Phishing is a form of identity theft in which a scammer uses an authentic-looking e-mail from a legitimate business to trick recipients into giving out sensitive personal information, such as a credit card, bank account, Social Security numbers or other sensitive personal information.
The spoofed email message urges the recipient to click on a link to update their personal profile or carry out some transaction. The link then takes the victim to a fake Web site designed to look like the real thing. However, any personal or financial information entered is routed directly to the scammer.

Phishing Link
While the visible link is just essentially just display text for the link in a phishing email, the phishing link is the actual link that the visible link pertains to. Users may view the phishing link by passing the pointer over the visible link.

Place of origin
In the Virus Encyclopedia, the place of origin indicates where a virus is believed to have originated.

Polymorphic viruses
Polymorphic viruses are complex file infectors that change physical forms, yet retain the same basic routines, after every infection. Such viruses typically encrypt their codes during each infection, altering their physical file makeup by varying encyrption keys every time.
This capability to change their physical makeup can allow polymorphic viruses to evade antivirus scanners, and can require antivirus products to use complex patterns and newer scan engines.

Pop-up window
This technique uses a script that opens a legitimate Web site in the background, while a spoofed pop-up window, usually identical to the legitimate Web site, is opened in the foreground. In effect, this misleads the user into thinking that pop-up window is directly related to the official page. In some cases, the pop-up window covers a portion of a legitimate Web site.

Port
A port is basically a connection address specified to allow programs on different computers to communicate. This connection address is represented by a port number from 0 to 65536. Like legitimate programs, malware programs that connect to remote systems often use predefined ports. Some malware use random ports that are defined upon connection. System administrators and desktop users can increase system security by controlling the availability of certain ports.
Many ports used by malware and legitimate applications are assigned to specific protocols like HTTP, which uses port 80 by default. IANA maintains a list of port numbers and known uses.

Proof-of-concept
A proof-of-concept is the earliest implementation of an idea. A proof-of-concept malware usually contains code that runs on new platforms and programs or takes advantage of newly discovered vulnerabilities.
Proof-of-concept malware often perform actions that have never been done before. For example, VBS_BUBBLEBOY was a proof-of-concept worm - it was the first email worm to automatically execute without requiring recipients to double-click on an attachment. Most proof-of-concept malware are never seen in-the-wild. However, malware writers will often take the idea (and code) behind a proof-of-concept malware and implement it in future malware.

Proxy server
A proxy server is an Internet connection device. It accepts requests for Internet resources (such as when a Web browser opens a Web page) and attempts to provide the resources if it has it in cache. It will request the page from the actual site if it doesn't have it in cache.
Apart from its caching function, a proxy server can control connection to specific sites. The single point of contact also improves manageability of Internet connections for huge networks.
Some malware have been known to function as proxy servers on infected machines, allowing unauthorized computers to connect to the Internet via infected systems.

Remote Access Programs
Also known as remote access tools or RATs, these programs allow users to access and manipulate remote systems. Many remote access programs are legitimate tools used by all types of users to access files and data on remote computers. The same programs, however, can be used for malicious purposes. Malicious individuals can trick unsuspecting users into installing remote access programs on their machines, or they may install these programs themselves.

Risk rating
When a threat is reported, immediatel evaluation of the risk of the threat and assigns a risk rating of Low, Medium or High for malware and grayware, or Low, Moderate, Important, Critical or Highly Critical for vulnerabilities. Several factors contribute to each risk rating.

Scams and shams
Scams and shams include hoax email messages that promise material gain or even luck to recipients who forward them to others users. Some luck-based hoaxes, often called chain letters, play on people's fear of bad luck. Money-based hoaxes offer incredibly quick cash for simply forwarding a message. Certain popular email scams have actually tricked users into investing their own money in fruitless investments.


Script malware
Scripts are generally written code that are interpreted and implemented by another application. In contrast, compiled programs can run on their own, but are often harder to produce as they have to be compiled.
Malware authors have taken advantage of relative ease of producing scripts and have produced significant numbers of script malware - many of which are written using Visual Basic Script, JavaScript, and HTML.
Many scripts can run on most systems without the installation of a special interpreter program. For example, certain Windows systems have Windows Scripting Host, which can interpret different script types. Also, HTML scripts are loaded by Web browsers, which are commonly installed on most computers.


Spyware
A spyware is a program that monitors and gathers user information for different purposes. Spyware programs usually run in the background, with their activities transparent to most users. Many users inadvertently agree to installing spyware by accepting the End User License Agreement (EULA) on certain free software.
Many users consider spyware an invasive form of data gathering. Spyware may also cause a general degradation in both network connection and system performance.
The state of California classifies spyware as: programs that are installed under deceptive circumstances; software that hides in personal computers; software that secretly monitors user activity; keylogging software; and software that collects Web browsing histories.


Stealer
A stealer is a Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network. Other stealers, called key loggers, log user keystrokes which may reveal sensitive information.

Symptoms
Symptoms are usually visible means that can help users determine whether the threat being discussed on Trend Micro’s Security Information page has affected their system. File name and file size are not enough to indicate whether system is indeed affected. However, this information, plus other information like registry entries and other system changes, can help users assess their system, short of using an antivirus product to check for detections. For grayware descriptions, the author/creator of the software is also indicated.
Other information, like the Web site where the malware and grayware are usually located, is sometimes indicated in a specific threat description. This may help alert users that these sites are malicious sites, and should be avoided.

System impact
A factor derived from the behavior and characteristics of the program. Some spyware or other forms of grayware are known to make system modifications without clear notice and consent. Performance and stability issues also contribute to this factor.


Trigger
A trigger is a system condition or date that sets off the payload of a specific threat. A trigger condition can be anything from the presence of certain file or a specific user action, such as the clicking of certain buttons. For example a trigger date could be a specific year, month, week, day, day of the week, hour, minute, or second, or a combination of any of these time points.

Trojan
The term Trojan has traditionally been used to refer to malware that performed unexpected or unauthorized actions. Taken from the mythological icon, the Trojan horse, the term originally described malware received by users as legitimate and non-malicious.
Current malware taxonomies typically group non-replicating malware as Trojans.

Urban legends
Urban legends are stories told around day-to-day things, but are incorporated with unusual twists in the form of unlikely facts that are difficult to verify. Designed to elicit emotional response, the most popular urban legends are health and animal scares. Many urban legends are gaining popularity as they spread along with other email hoaxes.

URL Cloaking
A technique that involves masking a URL to conceal its true destination. By using a malformed link, which triggers vulnerability in Internet Explorer, a URL is displayed in the address bar, which loads the contents of another Web site. The malicious Web site can thus control what is seen in the address bar.

US-CERT
Established in 2003 to protect the USA's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. US-CERT interacts with federal agencies, industry,the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public.

Virus Types
The majority of viruses fall into five main classes:
Boot-sector
File-infector
Multi-partite
Macro
Worm

Visible Link
Phishing emails contain a link where users are asked to update or validate their account information. The link displayed in the email body is called the visible link. Most phishing emails use visible links that are legitimate, making users believe that the email is from a legitimate source. Some use text strings (e.g. “Click here”) in hyperlink form, or a command button to hide the phishing link.

Visited Link
The visited link is the actual link that a user is redirected to once he or she clicks on the phishing link. It may or may not differ from the phishing link. There are instances where the phishing link redirects to another spoofed page. The visited link is the actual address of the phishing Web site.

Vulnerability
A vulnerability is a security weakness in a computing system that is typically found in programs and operating systems. The presence of known vulnerabilities in computing systems can leave these systems very much open to malware and hacker attack. This is because programs that take advantage of known vulnerabilities, commonly referred to as exploits, are often publicly available as source code, which can be customized to create a malware or a hacking tool.
Software vendors typically provide fixes or patches for vulnerabilities found on their products.

Vulnerability identifier
Vulnerability identifiers are unique alphanumeric tags based on the identifier numbers given to security vulnerabilities by Common Vulnerabilities and Exposures (CVE). A single entry under Security Advisories, which can discuss several specific vulnerabilities, can have several identifiers.

Web site Spoofing
Making an entire replica of a trusted site, all links visible in a spoofed site are under one phishing domain. Logos, fonts and colors of existing legitimate sites are used to make the spoofed site look realistic.

WHOIS
Displays information about a domain name or IP address. For example, if a user enters a domain name such as desitwist, whois will return the name and address of the domain’s owner (in this case, Admin).

Worm
A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments.