The document defines various terms related to computer security and viruses. It provides definitions for terms like 3G, adware, anti-virus databases, anti-virus engines, anti-virus updates, application programming interfaces, archive files, attack signatures, backdoor Trojans, bandwidth, batch files, behavioral analysis, binary code, and browser hijackers. The document serves as a glossary of security-related technical terms.

1. Security Glossary
http://www.viruslist.com/en/glossary
3
3G
3G (short for 3rd Generation) is the general term for technologies and standards
designed to combine high speed mobile access with IP [Internet Protocol]-based
services. 3G will improve the performance of wireless services, including greater
data speeds and improved capacity for accessing multimedia data.
The ultimate goal is to provide broadband, always-on access to Internet-based
services.
The term is used to distinguish emerging wireless technologies from the earlier
analog cellular phone systems (1G) and the digital technologies that succeeded
them (and are still in use today).
A
Adware
Synonyms: AdvWare
Programs designed to launch advertisements, often pop-up banners, on host
machines and/or to re-direct search engine results to promotional web sites.
Adware programs are often built into freeware or shareware programs, where the
adware forms an indirect ‘price’ for using the free program. Sometimes a Trojan
silently downloads an adware program from a web site and installs it onto a user’s
machine. Or hacker tools, often referred to as Browser Hijackers (because they
subvert the web browser to install a program without the user’s knowledge),
download the adware program using a web browser vulnerability.

2. Browser Hijackers may change browser settings, re-direct incorrect or incomplete
URLs, or change the default homepage. They may also re-direct searches to ‘payto-view’ (often pornographic) web sites.
Typically, many adware programs do not show themselves in the system in any
way: no listing under Start | Programs, no icons in the system tray, nothing in the
task list. In addition, adware programs seldom come with a de-installation
procedure and attempts to remove them manually may cause the original carrier
program to malfunction.
AIM [AOL Instant Messenger]
AIM is a specific implementation of IM [Instant Messaging].
Anti-virus databases
Anti-virus databases hold the data needed to find and remove malicious code. The
databases contain a series of virus definitions (or signatures), unique sequences of
bytes specific to each piece of malicious code. Signature analysis is one of the key
methods used to find and remove malicious code.
Anti-virus engine
The engine, the core of any anti-virus product, is a software module that is
purpose-built to find and remove malicious code. The engine is developed
independently of any specific product implementation. So it ‘plugs-in’ equally
well into personal products (such as personal scanners or real-time monitors), or
solutions for servers, mail scanners, file servers, firewalls and proxy-servers.
These products may be developed by the engine developer, or they may be
developed by third parties who integrate the engine into their application or
business process using the engine SDK.
The reliability of malicious code detection, and hence the security level provided
by the products that use it, is determined by the quality of the engine.

3. Anti-virus update
Synonyms: Anti-virus upgrade
Nearly all anti-virus programs make use of signature analysis: that is, using a
database that contains byte sequences belonging to known viruses, worms,
Trojans or other malicious code. As the list of known threats grows, new virus
definitions (or signatures) are added to the anti-virus databases. Anti-virus
researchers at Kaspersky Lab, for example, add around 200 new records to the
database every day. Enhanced protection is passed on to users in the form of an
update. In addition, new anti-virus engine functionality may also be delivered as
part of an anti-virus database update.
Signature analysis is not the only protection method available. Anti-virus
solutions have become increasingly sophisticated over the years, to counter the
growing complexity of malicious programs. Proactive detection mechanisms
designed to detect new threats before they appear in the field, such as heuristic
analysis, generic detection or behavioral analysis, are also an important first line
of defense.
Nevertheless, regular updating of anti-virus protection remains important, given
the speed at which today’s threats are able to spread. Anti-virus vendors have
successively reduced the time interval between virus definition updates: first
quarterly, then monthly, then weekly, then daily updates. Kaspersky Lab now
provides incremental virus definition updates every hour.
API [Application Program Interface]
An API defines the way that a piece of software communicates with other
programs, allowing these programs to make use of its functionality. The API
provides a series of commonly-used functions that third party developers might
need. For example, an operating system vendor provides an API that allows
developers to write applications that are consistent with the operating system.
Typically, the API comes with a set of routines, modules and protocols that can be
used to access the program’s functionality, known as an SDK [Software

4. Development Kit].
Although distinct, the two terms are often
used
interchangeably. An anti-virus engine API provides a way for third parties to
integrate anti-virus scanning into their application or business process.
Archive bomb
This is a seemingly small archive file that is actually highly compressed and
expands into a huge file or several identical files. Such archives typically take
quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus
program that tries to scan them. Good anti-virus programs include a smart
algorithm to avoid extracting such files.
Archive file
An archive file is a collection of data files that have been packaged together. This
is done to save space (when backing up a series of files to removable media, for
example) or to save data transmission time (when making files available for
download or when transferring them via e-mail, for example).
Programs that compress data into archive files are called archivers. WinZip is
probably the best known of these: in fact, many people equate ‘zipping’ a file with
archiving it, even when using a different archiver.
There are numerous archiving programs on the market, though the most familiar
include WinZip and WinRAR. Most are capable of creating and accessing ZIP
files, in addition to whatever format the program is designed to product. The most
common archive file formats are ZIP, RAR, ARJ and CAB. The CAB format is
used to archive many Microsoft® Windows® distribution files.
It’s important for anti-virus programs to scan inside these files. Otherwise any
archived file could provide a convenient hiding place for malicious code. Some email worms have even been deliberately distributed as archive attachments.

5. Good anti-virus programs also scan recursively (a ZIP within a ZIP, for example)
and include a smart algorithm to avoid extracting archive bombs.
ASCII [American Standard Code for Information Interchange]
Developed by ANSI [American National Standards Institute], ASCII is one of the
most common standards for representing text in a computer. Each character
(alphanumeric or special character) is represented by a binary number.
DOS- and Unix-based operating systems use ASCII. Windows® NT, Windows®
2000 and Windows® XP use a more recent standard called Unicode.
Attack signature
A file containing a data sequence used to identify an attack on the network,
typically using an operating system or application vulnerability. Such signatures
are used by an Intrusion Detection System [IDS] or firewall to flag malicious
activity directed at the system.
B
Backdoor Trojans
These are the most dangerous, and most widespread, type of Trojan. Backdoor
Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’
of victim machines. Unlike legitimate remote administration utilities, they install,
launch and run invisibly, without the consent or knowledge of the user. Once
installed, backdoor Trojans can be instructed to send, receive, execute and delete
files, harvest confidential data from the computer, log activity on the computer
and more.
Bandwidth
In computer networking, bandwidth refers to data transfer rate (how fast data
travels) and is normally measured in bits per second (bps). For example, a modem
operating at 57,600 bps has twice the bandwidth of a modem working at 28,800
bps.

6. Batch file
A batch file (which has the extension BAT) is designed to automate the execution
of multiple commands on a computer. The batch file itself is a text file. However,
it contains a list of instructions (including commands to run programs) that are
carried out unattended when the batch file is run.
Behavioral analysis
This refers to the technique of deciding whether an application is malicious or not,
according to what it does. If an application does something that falls outside the
range of ‘acceptable’ actions, its operation is restricted. For example, trying to
write to certain parts of the system registry, or writing to pre-defined folders, may
be defined as a threat. The action can be blocked, or the user notified about the
attempted action. This fairly simple approach can be further refined. It's possible,
for example, to restrict the access of one application (let's say allowing a web
browser read-only access to limited portions of the system registry) while giving
unrestricted access to other programs that do not use the Internet.
An alternative behavioral method is to 'wrap' a downloaded application and
restrict its action on the local system. Here the application is run in a protective
'sandbox' [sometimes called a ‘playground’, or ‘secure cache’] to limit its actions
according to a pre-defined policy. The activity performed by the program is
checked against a set of rules. Depending on the policy, the program’s actions
may be considered a violation of the policy, in which case the rogue action is
blocked.
Binary code
Synonyms: Object code
This term is applied to the compiled instructions contained within an executable
file. Binary code is not human-readable and can only be ‘understood’ by the
computer’s processor when the program is run.

7. Source code, by contrast, is made up of the statements created by a programmer
using a text editor. Source code is human-readable, for anyone who understands
the conventions used by that programming language (‘C’, ‘C++’, etc.), but can not
be executed by a computer’s processor until it has been compiled.
BIOS
The BIOS [Basic Input-Output System] refers to the instructions contained in one
of the chips in the PC. It is used to start the PC and is used by the operating
system to access the computer’s hardware.
Bit
Bit is a contraction of ‘binary digit’ and is the smallest unit of measurement for
computer data. As the name suggests, bits are counted in base-2, so the value of
any given bit will be either 0 or 1 (its value being defined by whether it is above
or below a set level of electrical charge within a capacitor).
Eight bits (called a byte) are required for a single alphanumeric character. Higher
multiples used to measure data are the kilobyte (1,024 bytes), the megabyte
(1,048,576 bytes), the gigabyte (1,073,741,824 bytes) and the terabyte (1,000
gigabytes).
Bandwidth (how fast data travels) is normally measured in bits per second.
Blacklist
Synonyms: Black hole list, Realtime black list, RBL [Realtime Blocklist]
Used as one method of filtering spam, blacklists provide a list of known sources
of unwanted e-mail. Traffic from listed IP addresses is simply blocked. Several
public blacklists are available, one of the best known being the Mail Abuse
Prevention System [MAPS].

8. The use of blacklists helps to force ISPs [Internet Service Providers] to monitor
their own outgoing e-mail and so avoid the negative commercial effects of being
‘blacklisted’.
Blended threat
Blended threats is a general description for malicious programs or bundles of
malicious programs that combine the functionality of different types of malware:
viruses, worms, Trojans and so forth.
As applications and operating systems as well as security products have become
more sophisticated, virus writers have retaliated by creating more and more
complex malicious programs.
A malicious program needs to meet most of the following criteria to be called a
blended threat:
Have more than one payload - launch a DoS attack, install a backdoor, damage a
local system etc.
Replicate and/or spread in a number of ways - via email, IRC channels, filesharing networks, download copies of itself from compromised web sites etc.
Use multiple attack methods - infect exe files, modify more than one registry key,
modify HTML files etc.
Bluetooth
Bluetooth is a specification for short-range wireless connectivity between
Bluetooth-enabled devices (PCs, PDAs, smartphones or pagers fitted with the
appropriate chip). Bluetooth has a range of 10 metres and currently supports a
transfer rate of 1Mbps. The Bluetooth specification is maintained by the Bluetooth
SIG [Special Interest Group], set up in 1998 and made up of more than 2,000
members (including Microsoft®, IBM, Intel, Nokia, Toshiba, Motorola, Sony
Ericsson and many others).
Boot

9. The process of starting a PC, during which the BIOS then the operating system are
loaded.
Boot disk
Synonyms: System disk
A disk containing the system files required to load an operating system. These
files may be located on a hard disk or removable media (floppy disk, CD or USB
memory storage device).
Boot sector
The boot sector is the area on a hard disk and floppy disks containing instructions
that are executed during the boot process, i.e. when the PC starts. Among other
things, the boot sector specifies the location of the operating system files. On a
hard disk, the boot sector is the first sector(s) on the bootable partition, i.e. the
partition containing the system files. On a floppy disk, the boot sector if the first
sector on the disk: all floppy disks contain a boot sector, even if they are just data
disks.
Boot sector virus
A boot sector virus is one that infects by replacing code in the boot sector of a
floppy disk (and sometimes a hard disk) with its own code. This ensures that
whenever an attempt is made to boot from the infected disk, the virus loads before
the operating system.
These viruses are very uncommon now, but in the first half of the 1990s, when
floppy disks were the main means of transferring data, they represented the main
threat to PC users. Typically, a boot sector virus infected the hard disk when a
user inadvertently left an infected floppy disk in drive A. When the PC was next
booted, the system would try to boot from the floppy disk and the virus code
would execute, regardless of whether or not the floppy disk was a system disk or
just a data disk. Most boot sector viruses then infected the MBR [Master Boot
Record] of the hard disk, rather than the boot sector.

10. Bridge
A bridge connects two LANs [Local Area Networks]: it examines data sent across
the network to determine which LAN it should be delivered to.
Broadband
Synonyms: DSL
Broadband (delivered through a Digital Subscriber Line [DSL]) is generally
applied to telecommunications in which a wide range of frequencies is available
for transmission of data, typically voice and data together. So broadband provides
an always-on connection, allowing home user to access the Internet while still
being able to use the telephone. Clearly this is more efficient than using a dial-up
connection, which makes exclusive use of a telephone line. In addition, broadband
typically also provides a faster connection, of 512Kbps, 1Mbps, 2Mbps or more.
Browser Helper Object
A Browser Helper Object [BHO] is a DLL that loads every time Microsoft®
Internet Explorer runs. Typically, a BHO is installed by a third party program to
enhance the functionality of the web browser (many Internet Explorer plugins, for
example, are BHOs).
BHOs can be installed silently, or can be installed ‘quietly’ (many users fail to
read the small print that comes with the EULA [End User License Agreement]
displayed by the freeware program). Also, because they’re programs, they can do
anything that other programs can do. On top of this, there’s no easy way to list the
BHOs installed on the PC. As a result, BHO functionality can be misused (to
install adware or track browsing habits, for example).
Browser Hijacker
Browser Hijackers modify the user’s web browser settings. This may involve
changing the default home page, re-directing searches to unwanted web sites,
adding unwanted (sometimes pornographic) bookmarks or generating unwanted
pop-up windows.

11. Bug
A bug is an unintentional fault in a program.
Some people mistakenly refer to viruses, worms or Trojans as ‘bugs’. This is
incorrect: bugs are unintentional, whereas malicious code represents a deliberate
misuse of a user’s computer.
Byte
A byte is made up of eight bits and is the data required for a single alphanumeric
character.
C
Cache
A cache is used to store data temporarily, typically recently accessed files (cache
memory, disk cache or web browser cache, for example). Since accessing the
cache is quicker than accessing regular Random Access Memory [RAM] or disk,
files stored in the cache can be accessed without the need for the processor to
carry out the more intensive work of reading data from regular memory or disk.
CARO [Computer Anti-Virus Research Organization]
CARO, set up in December 1990, is an informal forum in which anti-virus experts
who trust each other could exchange ideas and information on malware.
Classic virus (Virus)
Synonyms: Computer virus, Malicious program
Today the term virus is often loosely used to refer to any type of malicious
program, or is used to describe any ‘bad thing’ that a malicious program does to a

12. host system. Strictly speaking, however, a virus is defined as program code that
replicates.
Of course, this simple definition leaves plenty of scope for further sub-division.
Sometimes viruses are further classified by the types of object they infect. For
example, boot sector viruses, file viruses, macro viruses.
Or they may be classified by the method they use to select their host. ‘Indirect
action file viruses’ load into memory and hook into the system such that they can
infect files as they are accessed. Conversely, ‘direct action file viruses’ do not go
memory resident, simply infecting a file (or files) when an infected program is run
and then ‘going to sleep’ until the next time an infected file is run.
Another way of classifying viruses is by the techniques they use to infect. There
are ‘appending viruses’ that add their code to the end of a host file, ‘prepending
viruses’ that put their code at the start of a host file and overwriting viruses that
replace the host file completely with their own code. By contrast, companion
viruses and link viruses avoid adding code to a host file at all.
Then there are stealth viruses that manipulate the system to conceal changes they
make and polymorphic viruses that encrypt their code to make it difficult to
analyze and detect.
Of course, there are also viruses that fail to work: they either fail to infect or fail
to spread. Such would-be viruses are sometimes referred to as ‘wanabees’.
Command line
Synonyms: Command Line Prompt, CLI [Command Line Interface], Command
Prompt, DOS prompt
The command line provides a keyboard-driven interface between a computer and
the user. The user types in a command and the computer processes the appropriate

13. instruction for that command, after which it displays a specified prompt indicating
to the user that the system is ready for further commands.
MS-DOS was a command line driven system. Microsoft® Windows®, by
contrast, offers a Graphical User Interface [GUI] and the means to input
instructions using a mouse (in addition to command line access. Most Unix-based
operating systems also offer both command line and GUI interfaces.
Companion virus
A specific type of virus where the infected code is stored not in the host program,
but in a separate ‘companion’ file. For example, the virus might rename the
standard NOTEPAD.EXE
file to NOTEPAD.EXD
and create a
new
NOTEPAD.EXE containing the virus code. When the user subsequently runs the
Notepad application, the virus will run first and then pass control to the original
program, so the user doesn’t see anything suspicious.
Compound threat
This general description, first used in the wake of the Nimda outbreak in
September 2001, is used to describe those threats that come as a composite
‘bundle’ of malicious programs, using several mechanisms to spread and/or attack
their victims. This includes the following.
Spread via e-mail, the Internet, IRC channels, file-sharing networks, download
from compromised web sites, etc.
The use of application vulnerabiities.
Making use of Trojans to steal confidential data, download other malicious code,
launch a DDoS attack, etc.
In the days when MS-DOS was the primary PC operating system, the term
‘multipartite’ was used to describe viruses that used more than one technique to
spread (infecting programs and system sectors).
Compressed file

14. Synonyms: Packed file
A compressed file is one where the data belonging to the file has been reduced in
size to save space or data transmission time. For example, software developers
make use of various compression utilities to reduce the size of installation files
distributed on removable media. At run-time, of course, the file is de-compressed
automatically, with no user intervention needed.
There are thousands of different compression methods and the compression
algorithms used by them vary. At the simplest level, however, compression could
be as straightforward as removing repeating characters in a file (a data area in a
program, for example, may be initialized with zeroes) and replacing them with a
short marker that specifies how many bytes have been removed and what
character should be there.
While compression is used in legitimate programs, it is also used by authors of
malicious code. It is very common for Trojans, in particular, to be released in
compressed form (and sometimes re-released in a re-packaged form).
Worm
Synonyms: Computer worm, Email worm, Internet worm, Network worm
Worms are generally considered to be a subset of viruses, but with key
differences. A worm is a computer program that replicates, but does not infect
other files: instead, it installs itself on a victim computer and then looks for a way
to spread to other computers.
From a user’s perspective, there are observable differences. In the case of a virus,
the longer it goes undetected, the more infected files there will be on the victim
computer. In the case of a worm, by contrast, there is just a single instance of the
worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added
to existing files on the disk.

15. Like viruses, worms are often sub-divided according to the means they use to
infect a system. E-mail worms are distributed as attachments to e-mail messages,
IM worms are attached to messages sent using instant messaging programs (such
as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread.
Network worms spread directly over the LAN [Local Area Network] or across the
Internet, often making use of a specific vulnerability.
The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel
Shockwave Rider. The hero, a talented programmer, created self-replicating
computer programs that tunneled their way through a worldwide network.
Cookie
A cookie is the name given to a small piece of information saved to a user’s
machine by a web site that the user visits. Cookies are often used to store user
preferences about a web site, login information or even advertising information
that has been displayed to the user during their visit to the site.
D
DDoS [Distributed Denial of Service] attack
A DDoS attack is broadly similar to a DoS attack, designed to hinder or stop the
normal functioning of a web site, server or other network resource. A DDoS
attack differs only in the fact that the attack is conducted using multiple machines.
The hacker or virus writer typically use one compromised machine as the ‘master’
and co-ordinates the attack across other, so-called ‘zombie’, machines. Both
master and zombie machines are typically compromised by exploiting a
vulnerability in an application on the machine to install a Trojan or other piece of
malicious code.
DHA [Directory Harvest Attack]

16. A DHA is one method used by spammers to collect valid e-mail addresses.
Spammers either target these addresses directly in their own spam attack, or to sell
them on to other spammers.
The spammer first selects a domain (let’s say ‘victim_domain.com’) and then
sends speculative e-mail messages to possible addresses within that domain (for
example, ‘jack@victim_domain.com’, ‘jill@victim_domain.com’, etc.). If the email server at ‘victim_domain.com’ doesn’t reject the e-mail, the spammer knows
that a given e-mail address is valid and can be used as a target in a spam attack.
Dial-up connection
A dial-up connection is one that makes exclusive use of a standard telephone line
to send and receive data. The connection is made using a modem.
Disassembler
A disassembler is a program used to convert binary code into assembler language,
a human-readable version of machine code. It’s a form of reverse engineering,
used by programmers to debug code.
Virus researchers use various tools (including purpose-built, bespoke programs) to
disassemble malicious code and determine how it works.
DNS poisoning
Synonyms: DNS cache poisoning, Pharming
DNS servers located throughout the Internet are used to map domain names to IP
addresses. When a user types in a URL, a nearby DNS server will map the domain
to an IP address or pass it to another DNS server. In fact, there are a relatively
small number of very big DNS servers. These provide many smaller DNS servers
with DNS entries that are stored in the cache of the smaller DNS servers.
DNS poisoning is the manipulation of IP addresses for entries stored in the cache
of a smaller DNS server: the aim is to make the DNS server respond, not with the

17. correct IP address, but with one that contains malicious code. Here’s an example.
If a user types the URL ‘www.kaspersky.com’ in the web browser, the DNS
server should respond with the IP address 81.176.69.70. However, a poisoned
DNS server would map this domain name to an IP address that contains malicious
code.
DNS poisoning is only possible where there is a vulnerability or other security
weakness in the operating system running on the DNS server.
DNS [Domain Name System] server
DNS servers located throughout the Internet are responsible for the translation of
domain names into IP addresses. When a user types in a URL, a nearby DNS
server will map the domain to an IP address or pass it to another DNS server.
There is also a sort of ‘mini DNS server’ stored within Microsoft® Windows®
operating systems, called the hosts file.
Domain name
Domain names are used to locate an organization on the Internet. Each domain
name maps to a specific IP address.
So, for example, in the URL www.kaspersky.com, the ‘com’ part of the domain
name is the top-level and indicates the general purpose of the organization, in this
case ‘commercial’ (others include ‘org’, ‘net’, or geographic domains like
‘co.uk’).
The ‘kaspersky’ part of the domain name is the second-level and is a descriptor
for the organization itself: this can be thought of as a human readable version of
the IP address. Second-level domain names must be unique (and are registered
through ICANN [Internet Corporation for Assigned Names and Numbers]).
The ‘www’ part of the domain name indicates the server (in this case, web server)
that handles Internet request.

18. The translation of domain names into IP addresses is carried out by DNS servers
located throughout the Internet. When a user types in a URL, a nearby DNS server
will map the domain to an IP address or pass it to another DNS server. There is
also a sort of ‘mini DNS server’ stored within Microsoft® Windows® operating
systems, called the hosts file.
DoS [Denial of Service] attack
A DoS attack is designed to hinder or stop the normal functioning of a web site,
server or other network resource. There are various ways for hackers or virus
writers to achieve this. One common method is simply to flood a server with more
network traffic than it is able to handle. This prevents it from carrying out its
normal functions and in some circumstances crashes the server completely.
A DDoS attack differs only in the fact that the attack is conducted using multiple
machines. The hacker or virus writer typically use one compromised machine as
the ‘master’ and co-ordinates the attack across other, so-called ‘zombie’,
machines. Both master and zombie machines are typically compromised by
exploiting a vulnerability in an application on the machine, to install a Trojan or
other piece of malicious code.
Download
Where a file is transferred from one computer to another, the receiver is said to
download the file. For example, anti-virus updates are downloaded to a user’s
computer from an anti-virus vendor’s server.
E
E-mail

19. E-mail (short for ‘electronic mail’) is a method of sending messages electronically
from one computing device to another. Plain text e-mails are normally encoded in
ASCII text, although many e-mail client applications (Microsoft® Outlook®, for
example) support HTML, allowing non-text messages to be sent. It is also
possible to send non-text files as a binary attachment to an e-mail message.
SMTP is the standard protocol used for sending e-mail across the Internet,
although the POP3 protocol is also commonly used for receiving e-mail that has
been stored on a remote server (by an ISP, for example). Many web browsers
(including Microsoft® Internet Explorer) also provide support for POP3.
EICAR [European Institute for Computer Anti-Virus Research]
EICAR was formally set up in September 1991 (although an inaugural meeting
had taken place in the previous year), with the aim of providing a forum for
technical, security and legal experts from the security industry, government and
corporate bodies to combine their efforts against malicious code. EICAR was
designed to complement the CARO organization, which is made up solely of antivirus experts.
EICAR is probably best known for providing an industry-standard test file (the
‘EICAR Standard Anti-Virus Test File’) that can be used to check that anti-virus
software has been installed correctly, is working and responds appropriately when
a virus has been detected.
Encryption
Encryption describes the process of jumbling up data in such a way that it can not
be easily understood by those who are not authorized to do so. The jumbled data
is stored as ‘ciphertext’. A key, known as a decryption key, is required in order to
access the original data.

20. Encryption is used to keep prying eyes away from data that is in transit between
sender and recipient (data sent over the World Wide Web during an online
banking transaction, for example).
Modern encryption methods require both sender and recipient (or software
installed on sender and recipient computers) to hold compatible decryption keys.
This may take the form of a single shared key. Or it may be the combination of a
private key created by the recipient and a public key available to anyone wishing
to send data to the recipient: this is known as a PKI [Public Key Infrastructure].
Encryption is a two-way street in the computer world today. While individuals
and businesses use it to protect legitimate communication, virus writers encrypt
malicious programs to conceal them from anti-virus products: in this case, since
the virus writer wants the user to run the encrypted attachment, he must include
the key as part of the transmission (by including the password in an e-mail
message, for example).
Executable files
Synonyms: EXE files, PE EXE files
An executable file is a program in binary code that is ready to be run by the
computer without any further human intervention.
Common file extensions for executable fields in Windows include .exe, .com, .dll,
.bat. An executable file that is dynamically linked to another program is called a
dynamic link library.
Windows Portable Executable (PE) files are simply executable files that work
across all Microsoft 32-bit operating systems, which is why the majority of
malware for Windows written today is written in this format.
In Unix, executable files are marked with a special permission flag in the file
attributes.

21. Exploit
The term exploit describes a program, piece of code or even some data written by
a hacker or virus writer that is designed to take advantage of a bug or vulnerability
in an application or operating system. Using the exploit, an attacker gains
unauthorized access to, or use of, the application or operating system.
The use of exploits by hackers and virus writers has increased during the last few
years. Typically, exploit code is used to gain access to confidential data or to use
the victim machine for further unauthorized use.
Exploits are often named after the vulnerability they use to penetrate systems: a
buffer overflow, for example.
F
False positive
Synonyms: False alarm
A false positive is another way of saying ‘mistake’. As applied to the field of antivirus programs, a false positive occurs when the program mistakenly flags an
innocent file as being infected. This may seem harmless enough, but false
positives can be a real nuisance.
You waste productivity due to user down-time.
You may take e-mail offline, as a security precaution, thus causing a backlog and
more lost productivity
You waste even more time and resources in futile attempts to disinfect ‘infected’
files. And if you load a backup, to replace ‘infected files, the backup appears to be
infected too.
In short, false positives can be costly nuisances.

22. The term is not confined just to the anti-virus world. It also applies, for example,
to anti-spam protection, where it refers to the misidentification of a legitimate email message as spam. This too could be very costly, since the undelivered e-mail
may be a business critical message.
False negative
A false negative is simply another name for missing something. Applied to antivirus programs, it refers to a failure to detect malware that is present on a system.
FAT [File Allocation Table]
The term FAT is used to describe the file system used by Microsoft® MS-DOS,
Windows® 9x and Windows® ME operating systems. Specifically, the file
allocation table is the index used by the operating system to keep track of the
clusters (a group of disk sectors) belonging to each file stored on a disk. Clusters
are the basic unit of logical storage used by the operating system: and the FAT is
required because the clusters belonging to a file may not be stored contiguously.
When a file is written to the disk, the operating system creates a FAT entry for the
file: this notes the location of the file’s start cluster and its overall size. When
access to the file is later required, the operating system can then piece together
each cluster belonging to the file and load the file into memory for processing.
Alternative file systems are NTFS, used by Windows® NT, Windows® 2000 and
Windows® XP, and HPPS [High Performance File System] used by OS/2.
File virus
Viruses are often classified according to the objects they infect. File viruses, as the
name suggests, are designed to add their code to files (generally program files).
Firewall
Synonyms: Personal Firewall
This term is taken from the world of fire fighting, where a firewall is a barrier
created to block the spread of a fire.

23. In computing, a firewall forms a barrier between a computer system (either a
corporate system or a single user) and the outside world: the aim is to prevent
outsiders from gaining unauthorized access to the protected network. The firewall
monitors incoming and outgoing network traffic and decides whether to forward it
or block it depending on the security policy that has been set.
Typically, a firewall is installed on a router at the Internet gateway, although it
may also be used to guard the boundaries between networks and user groups.
Today, most enterprises use ‘stateful’ firewalls: they monitor the state of network
connections over a period of time (rather than simply examining packet headers).
The system administrator creates lists of legitimate data packets for each
connection and the firewall passes only packets which match known connections
and reject all others.
Personal firewalls are software-based. They protect single users from hacker
attacks and potentially damaging data packets sent via the Internet and also limit
the scope of applications on the protected computer. Such protection, as a
supplement to anti-virus protection, has become a ‘must’ for those with always-on
broadband connections.
Format
Formatting is the process by which a new disk is prepared for use by the operating
system.
FTP [File Transfer Protocol]
FTP is a protocol for exchanging files between computers on the Internet and is
often used to download files. FTP can be accessed from the command prompt, or
through a web browser.

24. G
Gateway
A gateway connects one network to another. An Internet gateway, for example,
controls access to the Internet.
Generic detection
Generic detection refers to the detection and removal of multiple threats using a
single virus definition. The starting-point for generic detection is that successful
threats are often copied by others, or further refined by the original author(s). The
result is a spate of viruses, worms or Trojans, each one distinct but belonging to
the same family. In many cases, the number of variants can run into tens, or even
hundreds.
Generic detection involves creating a virus definition that is able to identify all
threats belonging to the same family. So when ‘NewVirus’ appears, the definition
created to detect it will also successfully identify ‘NewVius.b’, ‘NewVirus.c’,
‘NewVirus.d’, etc. if and when they’re created. Such techniques extend also to
detection of exploit code that may be used by a virus or worm. While generic
detection is not guaranteed to find all variants in the family, it has been used with
considerable success by a number of anti-virus vendors.
Gigabyte
A gigabyte [GB] is a unit of measurement for computer storage and is equivalent
to a thousand million kilobytes, or 1,073,741,824 bytes.
H
Hacker

25. This term was once used to describe a clever programmer. In recent years, this
term has been applied to those who exploit security vulnerabilities to try and break
into a computer system. Originally, those who break into computer systems (for
malicious purposes or as a challenge) were known as ‘crackers’.
Hardware
The term hardware refers to the physical components of a computer (system unit,
monitor, keyboard, mouse, etc.).
Heuristic analysis
The word heuristic is derived from the Greek ‘to discover’ and refers to a learning
method based on speculation or guess-work, rather than a fixed algorithm. In the
anti-virus world, heuristic analysis involves using non-specific detection methods
to find new, unknown malware.
The technique, which has been in use for many years, involves inspecting the code
in a file (or other object) to see if it contains virus-like instructions. If the number
of virus-like instructions crosses a pre-defined threshold, the file is flagged as a
possible virus and the customer is asked to send a sample for further analysis.
Heuristic analysis has been refined over the years and has brought positive results
in detecting many new threats.
Of course, if heuristics aren’t tuned carefully, there’s a risk of false positives.
That’s why most anti-virus vendors using heuristics reduce their sensitivity to
minimize the risk of false alarms. And many vendors disable heuristics by default.
A further drawback is that heuristics is 'find-only'. In order to clean, it’s necessary
to know what specific changes the malware has made to the affected object.
Extensive use of heuristic analysis is also made in anti-spam solutions, to
highlight those characteristics of an e-mail message that are spam-like.

26. Hexadecimal
Hexadecimal (or ‘hex’ for short) refers to the counting of numbers in base-16, in
which there are 16 sequential digits in each unit. Since our standard decimal
counting system only goes as far as 9 before we have to switch to another unit,
hexadecimal is represented using the numbers 0-9 and the letters A-F. The
following table provides a few examples of how decimal numbers ‘translate’ into
hexadecimal.
Hexadecimal is often used by low-level programmers since it makes it easier to
represent the binary numbers used at machine level (when debugging a program,
or examining sectors on a disk using a sector editor, for example). A byte contains
eight bits (binary digits), but the same eight bits can be represented using just two
hexadecimal numbers.
Hoax
A hoax is a fake warning about a virus or other piece of malicious code. Typically
a hoax takes the form of an e-mail message warning the reader of a dangerous
new virus and suggesting that the reader pass the message on. Hoaxes cause no
damage in themselves, but their distribution by well-meaning users often causes
fear and uncertainty.
Most anti-virus vendors include hoax information on their web sites and it is
always advisable to check before forwarding warning messages.
Hosts file
The hosts file is a sort of ‘mini DNS server’ on every Microsoft® Windows®
system. When a user types a URL into the web browser, the browser checks the

27. local hosts file to see if the requested domain name is listed there, before it looks
for a DNS server. This is very efficient: if the web browser finds a match in the
hosts file, it doesn’t need to go looking on the Internet for a DNS server.
Unfortunately, writers of malicious code, ‘spyware’ or phishing scams can tamper
with the data stored in the hosts file. For example, a malware author might redirect all search requests (through Google, Yahoo, etc.) simply by editing the
hosts file: listing these domain names but matching them to the IP address of a
web site containing malicious code. Or a worm might prevent anti-virus programs
from updating themselves by matching anti-virus domain names in the hosts file
to the IP address of the victim machine.
Hot spot
Synonyms: Wireless access point
A hot spot provides access to a wireless network. Hot spots are now common in
businesses, homes, hotels, airports and even fast food outlets.
HTML [Hypertext Markup Language]
HTML comprises the set of codes used in a file that enables specified data (also
known generically as ‘web content’) to be displayed on a web page. These codes
(also known as ‘tags’) specify how a web browser should display text, graphics,
video and sound. In general, web browser developers adhere to the standard set by
the World Wide Web Consortium [W3C], although some also make use of
additional codes.
HTTP [Hypertext Transfer Protocol]
HTTP is the protocol used for transferring data (including text, graphics, video
and sound) across the World Wide Web. This data is stored in web pages, on a
web server. When an HTTP request is sent to the server from a web browser, the
server delivers the data (also known generically as ‘web content’) to the
requesting computer. The request for data is made by typing the URL into the web
browser, or by clicking on a hyperlink (or link for short): this link may be

28. specified on a web page or in a piece of text in a document, spreadsheet, etc. The
URL forms the address of the content on the Internet.
I
ICQ
ICQ [‘I Seek You’] is a specific implementation of IM [Instant Messaging].
IDS [Intrusion Detection Systems]
Synonyms: Intrusion detection, IPS [Intrusion Prevention Systems]
Intrusion detection is designed to prevent an attack on a computer system by
analyzing traffic into, and through, a network.
Originally, intrusion detection was restricted to information gathering: the IT
administrator was required to assess the data and take any remedial action
required to secure the system. These days, IDS applications often provide an
automated response to attacks based on a set of pre-defined rules. This is referred
to as IPS [Intrusion Prevention Systems] and may be seen as a development of
behavioral analysis.
IDS (and IPS) fall into two categories. ‘Host-based’ systems are designed to
protect individual computers and typically employ behavioral analysis to detect
malicious code. They do this by monitoring all calls made to the system and
matching them against policies based on ‘normal’ behavior. Such policies can be
quite granular, since behavior may be applied to specific applications. In this way,
activity such as opening ports on the system, port scanning, attempts to escalate
privileges on the system and injection of code into running processes can be
blocked as ‘abnormal’ behavior. Some systems supplement behavioral analysis
using signatures of known hostile code.
‘Network-based’ systems are deployed inline to protect each network segment.
They filter packets for malicious code, looking for ‘abnormal’ bandwidth usage or

29. for non-standard traffic (such as malformed packets). Network-based systems are
particularly useful for detecting DoS attacks, or the traffic generated by network
worms.
IM [Instant Messaging]
IM is a generic term that describes a system that allows users to see if a contact is
online and communicate with them in real time, over the Internet. IM may be textonly, although some IM systems support HTML or file sharing.
Examples of IM implementations are AIM, ICQ, IRC and MSN Messenger.
IMAP [Internet Message Access Protocol]
IMAP is a protocol for receiving e-mail. IMAP is useful where e-mail is stored on
a remote server and then forwarded to the user. This is useful, for example, where
a home user connects to the Internet through an ISP and downloads e-mail
periodically. In this case, SMTP is used to send e-mail across the Internet to the
ISP, while IMAP is used to download the e-mail from the ISP.
IMAP is similar to, but more sophisticated than, POP3.
Internet
The Internet (sometimes referred to simply as ‘the net’) is a global system of
connected networks.
The Internet developed out of ‘ARPANET’, set up in 1969 by the US government
agency ARPA [Advanced Research Projects Agency] to provide a network of
computers that would connect various academic and research organizations.
Today the Internet is the sum total of the countless computers around the world
that connect to each other using the public telecommunications infrastructure. The
‘glue’ that holds the Internet together is TCP/IP [Transmission Control
Protocol/Internet Protocol]. ‘TCP’ splits data into packets for transmission across

30. the Internet and re-assembles them at the other end. ‘IP’ addresses the packets to
the right location.
Sitting on top of TCP/IP are other protocols that provide specific functions to
users on the Internet. These include FTP (for file transfer) SMTP (for e-mail) and
HTTP (for transferring data across the World Wide Web).
IP address
An IP [Internet Protocol] address is a 32-bit number used to identify a computer
sending or receiving packets across the Internet. The number, normally expressed
as four numbers separated by full stops (each representing eight bits) identifies the
network on the Internet and the host machine within that network. Of course, few
of us can easily remember long numbers so, to make things easier, we use domain
names that map to each IP address. The domain name ‘kaspersky.com’, for
example, maps to the IP address ‘81.176.69.70’.
IRC [Internet Relay Chat]
IRC is a specific implementation of IM [Instant Messaging].
ISP [Internet Service Provider]
ISPs provide users and organizations with access to the Internet. The ISP typically
has what’s known as a ‘point of presence’ on the Internet: they have the
equipment necessary to provide Internet access to many users and a dedicated IP
address. Some ISPs rely on the infrastructure of telecoms providers, other have
their own dedicated leased lines. Increasingly, ISPs provide value-add services
along with Internet access: such as anti-virus and anti-spam filtering.
J
JavaScript

31. Java Script is a script language developed by Netscape®. Like VBS, JavaScript is
often used in the development of web pages. For specific tasks, it’s often easier to
write a script than to use a formal programming language like ‘C’ or ‘C++’.
However, as with a formal program, it’s also possible to use JavaScript to create
malicious code. Since a script can be easily embedded in HTML, a virus author
can embed a malicious script within an HTML e-mail: and when the user reads
the e-mail, the script runs automatically.
Joke program
Joke programs are not harmful, but do something that the author considers to be
funny. This often includes behavior that simulates the destructive effects of
malicious code: for example, displaying a message telling the user that their hard
drive is being formatted.
Junk e-mail (Spam)
Synonyms: UCE [Unsolicited Commercial E-mail]
Spam is the name commonly given to unsolicited e-mail. It is effectively
unwanted advertising, the e-mail equivalent of physical junk mail delivered
through the post or from unsolicited telemarketing calls.
K
Kernel
The term kernel refers to the core of an operating system that supports all other
operations. By contrast, the term shell is used to describe the user interface.
Keylogger
Synonyms: Keystroke logger
A keylogger can be used by a third-party to obtain confidential data (login details,
passwords, credit card numbers, PINs, etc.) by intercepting key presses. Backdoor
Trojans typically come with a built-in keylogger; and the confidential data is

32. relayed to a remote hacker to be used to make money illegally or gain
unauthorized access to a network or other company resource.
Kilobyte
A kilobyte [KB] is a unit of measurement for computer storage and is equivalent
to 1,024 bytes.
L
Link virus
Viruses are often classified according to the technique they use to infect. A link
virus, as the name suggests, does not add its code directly to infected files.
Instead, it spreads by manipulating the way files are accessed under the FAT file
system.
When an infected file is run, the virus goes memory resident and a writes a
(typically hidden) file to the disk: this file contains the virus code. Subsequently,
the virus modifies the FAT to cross-link other files to the disk sector containing
the virus code. The result is that whenever the infected file is run, the system
jumps first to the virus code and runs it.
The cross-linking is detectable if the CHKDSK program is run, although a virus
could use stealth to conceal the changes if the virus was in memory (in other
words, if the user did not boot from a clean system disk).
M
Macro virus
Viruses are often classified according to the objects they infect. Macro viruses, as
the name suggests, are designed to add their code to the macros associated with
documents, spreadsheets and other data files.

33. The first macro virus, called Concept, appeared in July 1995 and macro viruses
subsequently became the dominant type of virus. There were three major reasons
for this. First, they were the first type of virus to deliberately add their code to
data files: this meant they weren’t just reliant on the exchange of floppy disks or
programs. Second, they were very easy for would-be virus authors to write (or
copy), so a new macro virus spawned many new variants. Third, they ‘cashed-in’
on the emergence of e-mail as a key business tool, so that infected users
inadvertently spread them quicker than any other type of virus had spread before.
The vast majority of macro viruses were designed to spread on the back of
Microsoft® Office data files (Word, Excel, Access, PowerPoint and Project),
although there were a few ‘proof-of-concept’ macro viruses for other formats
(Lotus AmiPro®, for example).
Macro viruses dominated the scene until the appearance of the first ‘mass-mailers’
early in 1999.
Malicious code
Malicious code refers to any program that is deliberately created to perform an
unauthorized, often harmful, action.
Malware
Synonyms: Malicious software
Malware (short for malicious software) refers to any program that is deliberately
created to perform an unauthorized, often harmful, action.
Mass-mailer
Mass-mailing refers to the technique, used by many worms, of ‘hijacking’ the email system to send malicious code automatically to e-mail addresses harvested
from an already infected computer.

34. MBR [Master Boot Record]
Synonyms: Partition sector
The MBR is the first sector on a hard disk and contains the partition table, which
holds information on the number of partitions, their size and which one is ‘active’
(i.e. which one contains the operating system used to boot the machine).
Megabyte
A megabyte [MB] is a unit of measurement for computer storage and is equivalent
to a thousand kilobytes, or 1,048,576 bytes.
Modem
A modem converts digital signals from a computer into to analog signals that can
be transferred across a standard telephone line and vice versa.
The capacity of modems has increased considerably in recent years from
14.4Kbps (Kilobits per second), to 28.8Kbps, to 56Kbps.
However, even higher capacity can be achieved using a digital IDSL [Integrated
Services Digital Network] adaptor (up to 128Kbps) or a broadband connection
(these days measured in Mbps).
MS-DOS
Short for Microsoft® Disk Operating System, MS-DOS was a command line
driven operating system developed for the PC. MS-DOS 1.0 was released ion
1981 and the final version, MS-DOS 6.22, was released in 1994. Microsoft®
Windows® also provides command line access through its Command Prompt.
MSN Messenger
MSN Messenger is a specific implementation of IM [Instant Messaging].
Multipartite

35. Multipartite viruses are those that use multiple attack methods. In the days when
MS-DOS was the primary PC operating system, the term multipartite was used to
describe viruses that infected programs and system sectors.
N
Network
A network is a group of computers that are connected with each other and able to
send and receive data. The computers within a network are sometimes referred to
as ‘nodes’ or ‘workstations’ and the way they are connected to each other is
referred to as the network’s ‘topology’.
A typical type of network is the LAN [Local Area Network], where all nodes are
connected to a dedicated server used for disk storage and shared applications.
Some smaller organizations, by contrast, may have a peer-to-peer network: in this
case, all computers on the network are connected to each other, but there is no
dedicated server.
In larger organizations, which may be geographically dispersed, several LANs (at
each physical site, for example) may be connected to a WAN [Wide Area
Network], often using the public telecommunications infrastructure.
The Internet can be seen as a ‘super network’ that uses public telecommunications
infrastructure to combine countless individual networks through the common use
of the TCP/IP protocol.
NTFS [New Technology File System]
NTFS is the file system used by Microsoft® Windows® NT, Windows® 2000
and Windows® XP. It was developed after the FAT file system implemented in
MS DOS and provides more efficient and secure methods for storage and retrieval
of files (including support for very large files, integrated file compression, a more
efficient directory system and access control for specific files). By contrast with

36. the FAT system, information about each file is stored in the clusters belonging to
that file (although there is also a MTF [Master File Table] that keeps track of all
the clusters on the disk).
O
Open relay
The term open relay is applied to an SMTP server that is set up to process e-mail
from an unknown sender, even if it is not intended for a recipient within the
organization. The open relay acts as a sort of ‘blind go-between’, routing all email regardless of its source or destination.
Using tools that are easily available on the Internet, spammers are able to use open
relays to deliver large volumes of spam while covering their tracks. Since the email they send out is routed through the SMTP server of a legitimate organization,
it looks like it has come from a legitimate source.
Open source software
Open source software is software that is developed, maintained and distributed
freely, based on open collaboration between programmers. As the name suggests,
the source code for the operating system or application is published openly.
Various Unix-based operating systems have been developed on the open source
principle.
Operating system
An operating system (sometimes abbreviated as OS) is the collection of programs
that loads when a computer boots and subsequently manages the operation of all
other functions on the computer. This includes access to the computer’s hardware,
use of the computer’s processor, memory management, etc.
Examples of operating systems are MS-DOS, Windows® XP, Linux, NetWare®,
etc.

37. Overwriting virus
Viruses are often classified according to the technique they use to infect. An
overwriting virus, as the names suggests, completely replaces the code in the
infected file with its own. Of course, the original program no longer runs, so the
infection becomes obvious. For this reason, overwriting viruses have never been
successful at spreading in the field.
P
Peer-to-peer
Synonyms: P2P
The term ‘peer-to-peer’ can be applied to a network system in which there is no
dedicated network server and in which each machine has both server and client
capabilities.
Today, the term P2P is more commonly applied to a temporary connection shared
by users running the same application, allowing them to share files on each
other’s computers (typically to share music or other multimedia files over the
Internet, as with Napster, Gnutella and Kazaa).
Packet
A packet is a unit of data transferred between two points on the Internet. When
data is sent across the Internet (an e-mail message, for example), it is divided into
convenient sections. Each of these packets may travel via different routes, to be
re-assembled at their destination.
Partition
A partition is a logical division of a hard disk into several sections, allowing the
user to install different operating systems on the same hard disk. Partitions are
created using the FDISK.EXE program. Information on the number of partitions,

38. their size and which one is ‘active’ (i.e. which one contains the operating system
used to boot the machine) is stored within the MBR, in the partition table.
PSW Trojans
Synonyms: Password-stealing Trojans
These Trojans are designed to steal passwords from the victim machine (although
some steal other types of information also: IP address, registration details, e-mail
client details, and so on). This information is then sent to an e-mail address coded
into the body of the Trojan. The first PSW Trojans were AOL password stealing
Trojans: and they are so numerous that they form a specific subset of PWS
Trojans.
Patch
Synonyms: Service pack, Maintenance pack
A patch provides additional, revised or updated code for an operating system or
application. Except for open source software, most software vendors do not
publish their source code: so patches are normally pieces of binary code that are
‘patched’ into an existing program (using an install program).
The term ‘patching’ refers to the process of downloading and installing additional
code supplied by an application vendor. However, the terms used may vary.
Typically, a minor fix is referred to as a patch, while a significant fix is referred to
as a Maintenance Pack or Service Pack.
Patching has become an integral part of computer security, since vulnerabilities in
popular operating systems and applications are among the primary targets for
virus writers and hackers. It is crucial to patch in a timely manner. During recent
years, the time-lag between the discovery of a vulnerability and the creation of
exploit code that makes use of it has diminished. The worse-case scenario, of
course, is a so-called ‘zero-day exploit’, where an exploit appears immediately
after a vulnerability has been discovered. This leaves almost no time for a vendor
to create a patch, or for IT administrators to implement other defensive measures.

39. Payload
In the world of malicious code, the term payload is used to describe what a virus,
worm or Trojan has been coded to do to a victim machine. For example, a virus
could be designed to display a message on the screen on a particular day of the
week, or erase all EXE files on a given day, or ... anything else that software can
be coded to do. In fact, many viruses contain no payload at all. That’s not to say
that they will have no adverse effect on an infected system. Many viruses are
poorly written and may interfere with other programs running on the machine.
They may also cause unintended side-effects if they are run in an environment
they were not ‘designed’ for.
PDA [Personal Digital Assistant]
PDA is the term given to small handheld computers that provide many of the
functions of a standard PC, including e-mail, web browser, calendar (and other
personal information) functions, network access, synchronization between the
PDA and a PC. Increasingly, PDA functions are becoming combined with those
of a wireless phone in a smartphone.
Phishing
Phishing is a form of cyber crime based on social engineering techniques. The
name ‘phishing’ is a conscious misspelling of the word 'fishing' and involves
stealing confidential data from a user’s computer and subsequently using the data
to steal the user’s money.
The cyber criminal creates an almost 100% perfect replica of a financial
institution or online commerce web site. He then tries to lure unsuspecting users
to the site to enter their login, password, credit card number, PIN, etc. into a fake
form. This data is collected by the phisher who later uses it to access users’
accounts fraudulently.

40. Some financial institutions now make use of a graphical keyboard, where the user
selects characters using a mouse, instead of using a physical keyboard. This
prevents collection of confidential data by phishers who trap keyboard input, but
is of no avail against so-called ‘screenscraper’ techniques: where a Trojan that
takes a snapshot of the user’s screen and forwards it to the server controlled by the
Trojan author or ‘master’.
There are several different ways of trying to drive users to a fake web site.
Spam e-mail, spoofed to look like correspondence from a legitimate financial
institution.
Hostile profiling, a targeted version of the above method: the cyber criminal
exploits web sites that use e-mail addresses for user registration or password
reminders and directs the phishing scam at specific users (asking them to confirm
passwords, etc.).
Install a Trojan that edits the hosts file, so that when the victim tries to browse to
their bank’s web site, they are re-directed to the fake site.
Pharming, also known as DNS poisoning.
‘Spear phishing’, an attack on a specific organization in which the phisher simply
asks for one employee’s details and uses them to gain wider access to the rest of
the network.
Polymorphism
The term ‘polymorphic’ comes from the Greek for ‘many forms’. Polymorphic
viruses are variably-encrypted. They try to evade detection by changing their
‘shape’ with each infection, so there’s no constant sequence of bytes for an antivirus program to search for. As a result, anti-virus programs must use various
other techniques to identify and remove polymorphic viruses, including emulating
the code, or using mathematical algorithms to ‘see through’ the code.
POP3 [Post Office Protocol 3]
POP3 is a protocol for receiving e-mail. POP3 is useful where e-mail is stored on
a remote server and then forwarded to the user. This is useful, for example, where

41. a home user connects to the Internet through an ISP and downloads e-mail
periodically. In this case, SMTP is used to send e-mail across the Internet to the
ISP, while POP3 is used to download the e-mail from the ISP.
Many e-mail client applications (Microsoft® Outlook®, for example) and web
browsers (Internet Explorer, for example) support POP3.
Pornware
‘Pornware’ is the generic term used by Kaspersky lab to describe malware-related
programs that either use the computer’s modem to connect to pornographic payto-view services, or download pornographic content from the web, without the
consent of the user.
Port
Synonyms: TCP/IP port
In computing, ports are connection points.
They may be physical connection points, as in the COM (or serial) and parallel
ports used by physical input or output devices. Before the advent of USB ports,
monitor, keyboard, mouse and modem typically used a COM port (where data is
transferred ‘serially’, one bit at a time), while printers typically used a parallel
port (where data is transferred ‘in parallel’, eight bits at a time). Today, most
computers are equipped with a number of USB ports. USB allows up to 127
devices to connect to a single computer and allows for rapid transfer of data.
They may also be logical connection points for data transferred via TCP/IP or
UDP networks. Some port numbers are reserved: port 80, for example, is reserved
for the HTTP service. Others are assigned dynamically for each connection. Ports
are used by authors of malicious code to transfer data from a victim machine to
the ‘master’, or to download additional malicious.
Port scanning

42. Port scanning is the process of sending messages to ports on a computer to see
what response comes back: the response indicates whether or not the port is being
used and may be vulnerable to attack.
Program
Synonyms: Executable file
Programs (also known as executables) contain binary code in a form that is ready
to be run on a computer. Programs are written using a computer language (‘C’ or
‘C++’, for example), where the programmer writes the language-specific
instructions using a text editor: this is known as source code. The source code is
then compiled into instructions that can be interpreted by the computer.
The most common file extension for programs in a Microsoft® Windows®
environment is EXE, but there are other files that contain program code, including
COM and DLL. Batch files (which have the extension BAT) are themselves text
files, but they contain a list of instructions for the computer to carry out
unattended.
Proxy server
A proxy server stands between users on a network and the Internet. When a user
requests a web page through their browser, the request goes through the proxy
server. The proxy server checks its cache, to see if the page has been requested
before: if it has, there’s no need for the proxy server to access the Internet, so the
user gets quicker access to cached pages.
Many organizations install a proxy server at the Internet gateway, on the same
computer as its firewall.
PSW Trojans
Synonyms: Password-stealing Trojans
These Trojans are designed to steal passwords from the victim machine (although
some steal other types of information also: IP address, registration details, e-mail

43. client details, and so on). This information is then sent to an e-mail address coded
into the body of the Trojan. The first PSW Trojans were AOL password stealing
Trojans: and they are so numerous that they form a specific subset of PWS
Trojans.
R
RAM [Random Access memory]
Synonyms: Memory
RAM is used by the operating system and other software to hold data that is
currently being used. Applications and data held on the hard disk or removable
media are loaded into RAM before being processed. It’s faster to read from, and
write to, RAM than a hard disk or removable media. However, RAM can be used
only for temporary storage: it is cleared whenever the PC is switched off.
Registry key
Synonyms: System registry key, Key
In Microsoft® Windows®, registry keys are used to store configuration
information: the value of a relevant key is changed every time a program is
installed or when its configuration settings have been modified.
Many malicious programs change key values, or create new ones, to ensure that
their code runs automatically: in addition, they can have an adverse effect on
legitimate programs.
Riskware
‘Riskware’ is the generic term used by Kaspersky Lab to describe programs that
are legitimate in themselves, but that have the potential for misuse by cyber
criminals: for example, remote administration utilities. Such programs have
always had the potential to be misused, but they now have a higher profile. During
the last few years, there has been a fusion of ‘traditional’ virus techniques with

44. those of hackers. In the changing climate, such ‘riskware’ programs have come in
to their own as a means of controlling machines for malicious purposes.
Rootkit
A rootkit is a collection of programs used by a hacker to evade detection while
trying to gain unauthorized access to a computer. This is done either by replacing
system files or libraries, or by installing a kernel module. The hacker installs the
rootkit after obtaining user-level access: typically this is done by cracking a
password or by exploiting a vulnerability. This is then used to gather other user
IDs until the hacker gains root, or administrator, access to the system.
The term originated in the Unix world, although it has since been applied to the
techniques used by authors of Windows-based Trojans to conceal their activities.
Rootkits have been used increasingly as a form of stealth to hide Trojan activity,
something that is made easier because many Windows users log in with
administrator rights.
Router
A router is a device, located at the point where one network meets another, that
decides the next point to which a network packet should be passed on its way to
its final destination.
S
Sandbox
In the context of computer security, a sandbox provides a tightly-controlled
environment in which semi-trusted programs or scripts can be safely run in
memory (or with limited access to the local hard disk). The sandbox concept can
be implemented in a web browser, to safeguard the user from potentially harmful
content, or it can be used as a method for analyzing programs in order to
determine if they are safe or harmful.

45. SDK [Software Development Kit]
A SDK is a set of routines, modules and protocols that can be used to access a
program’s functionality, through its Application Program Interface [API].
Although these two terms are distinct, they are often used interchangeably. An
anti-virus engine SDK provides the tools necessary for third parties to integrate
anti-virus scanning into their application or business process.
Sector
Synonyms: Disk sector
A sector is an area on a PC disk (hard disk or floppy disk) used to store data.
Sectors, which resemble the slices of a cake, are laid down on the disk when it is
prepared for use, or formatted. The size of each sector varies depending on the
operating system and is defined in the disk’s boot sector.
A disk is also divided into cylinders (or tracks) and heads (or sides). Data on a
disk is accessed, at a low-level, according to its cylinder, head and sector number.
Of course, the user doesn’t need to worry about this low-level information, since
the operating system handles the storage and retrieval of data in a user-friendly
way.
Shell
The term shell describes the user interface of an operating system, used to launch
programs and give other commands. By contrast, the term kernel refers to the core
of the operating system that supports all other operations.
Smartphone
The term ‘smartphone’ is generally applied to a mobile device that combines the
functions of a wireless phone with functions more typically associated with a
PDA. These include wireless e-mail access, wireless access to online banking and
other web browsing capabilities, wireless access to a network, calendar (and other
personal information) functions, wireless and wired synchronization between the

46. device and a PC. Symbian OS and Windows® CE are the most common operating
systems installed on smartphones.
SMTP [Simple Mail Transfer Protocol]
SMTP is a protocol for sending e-mail across the Internet. While any individual
organization may implement a specific application for handling e-mail internally
(Microsoft® Exchange, Lotus Domino®, etc.), SMTP is the common format into
which all messages are converted before being sent over the Internet.
In situations where e-mail is stored on a remote server and then forwarded to the
user (where a home user connects to the Internet through an ISP and downloads email periodically, for example), POP3 or IMAP protocols are often used also.
Social engineering
Social engineering refers to a non-technical breach of security that relies heavily
on human interaction, i.e. tricking end users into breaking normal security
measures.
Virus writers and spammers alike depend heavily on disguising malware and
spam as innocent messages or software, which may even pretend to be fighting
against the very form of cyber crime that is about to be committed. The objective
is to get the user to respond: click on an infected e-mail attachment, click on a link
to a compromised web site, or respond to a fake unsubscribe notice ... the list is
endless.
Software
The general term used for programs that run on a computer. This includes system
software (related to the operating system) and application software used to carry
out specific tasks (word processors, spreadsheet software, etc.).
Stealth

47. Stealth is the term used to describe techniques used to make a virus inconspicuous
– that is, to conceal any changes a virus makes to the infected system.
Stealth virus
Stealth viruses attempt to evade antivirus scanners by presenting clean data when
queried by an antivirus product. Some of these viruses display a clean version of
the infected file during scans. Other stealth viruses hide the new size of the
infected file and display the pre-infection size.
System files
System files are operating system files, used to carry out basic functions on a
computer.
System registry
Synonyms: Windows registry
The Windows system registry is a database used by all modern Windows
platforms. This database contains the information needed to configure the system.
Windows constantly refers to the registry for information ranging from user
profiles, to which applications are installed on the machine, to what hardware is
installed and which ports are registered.
Registry keys replace .ini files in previous version of Windows. The registry data
is stored as binary code.
T
TCP/IP [Transmission Control Protocol/Internet Protocol]
TCP/IP is the protocol that is used by the countless computers around the world
that connect to each other through the Internet. ‘TCP’ splits data into packets for
transmission across the Internet and re-assembles them at the other end. The ‘IP’
part of the protocol is responsible for addressing the packets to the right location.

48. Terabyte
A terabyte [TB] is a unit of measurement for computer storage and is equivalent
to a thousand gigabytes.
Trojan
Synonyms: Trojan horse
The term Trojan is taken from the wooden horse used by the Greeks to sneak
inside the city of Troy and capture it. The first Trojans, which appeared in the late
1980s, masqueraded as innocent programs. Once the unsuspecting user ran the
program, the Trojan would deliver its harmful payload. Hence the copy-book
definition of a Trojan as a non-replicating program that appears to be legitimate
but is designed to carry out some harmful action on the victim computer.
One of the key factors distinguishing Trojans from viruses and worms is that they
don’t spread by themselves. In the early days of PC malware, Trojans were
relatively uncommon since the author had to find some way of distributing the
Trojan manually. The widespread use of the Internet and the development of the
Word Wide Web provided an easy mechanism for distributing Trojans far and
wide.
Today, Trojans are very common. They typically install silently and carry out
their function(s) invisible to the user.
Like viruses and worms, Trojans are often sub-divided into different categories
based on their function.
- Backdoor Trojans provide the author or ‘master’ of the Trojan with remote
‘administration’ of victim machines.
- PSW Trojans steal passwords from victim machines (although some steal other
types of information also: IP address, registration details, e-mail client details, and
so on).

49. - Trojan Clickers re-direct victim machines to a specified web site, either to raise
the ‘hit-count’ of a site, or for advertising purposes, or to organize a DoS attack on
a specified site, or to direct the victim to a web site containing other malicious
code.
- Trojan Droppers and Trojan Downloaders install malicious code on a victim
machine, either a new malicious program or a new version of some previously
installed malware.
- Trojan Proxies function as a proxy server and provide anonymous access to the
Internet: they are commonly used by spammers for large-scale distribution of
spam e-mail.
- Trojan Spies track user activity, save the information to the user’s hard disk and
then forward it to the author or ‘master’ of the Trojan.
- Trojan Notifiers inform the author or ‘master’ that malicious code has been
installed on a victim machine and relay information about the IP address, open
ports, e-mail address and so on.
- Archive bombs are designed to sabotage anti-virus programs. They take the form
of a specially constructed archive file that ‘explodes’ when the archive is opened
for scanning by the anti-virus program’s de-compressor. The result is that the
machine crashes, slows down or is filled with garbage data.
Trojan Clickers
Trojan Clickers re-direct victim machines to a specified web site. This is done
either to raise the ‘hit-count’ of a site, for advertising purposes, or to organize a
DDoS attack on a specified site, or to direct the victim to a web site containing
other malicious code (another Trojan, for example). The Trojan does this either by
sending commands to the web browser or by simply replacing system files that
contain URLs (the Windows® ‘hosts file’, for example).
Trojan Downloaders
These Trojans (like Trojan Droppers) are used to install malicious code on a
victim machine. However, they can be more useful to malware authors. First,
Downloaders are much smaller than Droppers. Second, they can be used to

50. download endless new versions of malicious code, adware or ‘pornware’
programs. Like Droppers, Downloaders are also typically written in script
languages such as VBS or JavaScript. They also often exploit Microsoft® Internet
Explorer vulnerabilities.
Trojan Droppers
The purpose of Trojan Droppers, as the name suggests, is to install malicious code
on a victim machine. They either install another malicious program or a new
version of some previously installed malware. Trojan Droppers often carry several
completely unrelated pieces of malware that may be different in behavior or even
written by different coders: in effect, they’re a kind of malware archive containing
many kinds of different malicious code. They may also include a joke or hoax, to
distract the user from the real purpose of the Dropper, the background installation
of malicious code, or adware or ‘pornware’ programs. Droppers are often used to
carry known Trojans, since it is significantly easier to write a dropper than a brand
new Trojan that anti-virus programs will not be able to detect. Most droppers are
written using VBS or JavaScript: they are, therefore, easy to write and can be used
to perform multiple tasks.
Trojan Notifiers
The purpose of these Trojans is to inform the author or ‘master’ that malicious
code has been installed on the victim machine and to relay information about the
IP address, open ports, e-mail address and so on. Trojan Notifiers are typically
included in a Trojan ‘pack’ that contains other malware.
Trojan Proxies
These Trojans function as a proxy server and provide anonymous access to the
Internet: they are commonly used by spammers for large-scale distribution of
spam e-mail.
Trojan Spies

51. Trojan Spies, as the name suggests, track user activity, save the information to the
user’s hard disk and then forward it to the author or ‘master’ of the Trojan. The
information collected includes keystrokes and screen-shots, used in the theft of
banking data to support online fraud.
U
UDP [User Datagram Protocol]
UDP is a protocol used to transfer data (in the form of ‘datagrams’) across the
Internet. Unlike TCP/IP, UDP doesn’t split up messages and re-assemble them at
the other end. It is useful for sending small amounts of data, since it saves
processing time that would be used to re-assemble packets.
Unicode
Unicode, used in Microsoft® Windows® NT, Windows 2000 and Windows XP,
succeeded ASCII as a means of using binary codes to represent text characters
used in the world’s principal languages.
Unix
The Unix operating system originated at AT&T’s Bell Labs in 1969. Unix is an
open source operating system. Since it is not owned by a single vendor, many
different Unix versions have been developed since its creation (including Unixderivative operating systems like Linux). The Open Group holds the ‘Single
UNIX Specification’ and the UNIX® trademark and certifies different Unix
implementations.
Upload
Where a file is transferred from one computer to another, the sender is said to
upload the file. For example, anti-virus updates are uploaded by an anti-virus
vendor to their server, to make them available for users of their software.
URL [Universal Resource Locator]

52. The URL specifies the address of a piece of content on the World Wide Web. The
request is made by typing the URL into the web browser, or by clicking on a
hyperlink (or link for short): this link may be specified on a web page or in a piece
of text in a document, spreadsheet, etc.
USB [Universal Serial Bus]
USB provides a ‘plug-and-play’ standard for connecting many peripheral devices
to a computer simultaneously, without the need for a specific device adapter card
for each device. USB allows up to 127 devices to connect to a single computer
and allows for rapid transfer of data.
USB 1.1 (the original USB specification, developed by Compaq, IBM, DEC,
Intel, Microsoft and Northern Telecom) supports data speeds of up to 12Mbps.
USB 2.0 (developed by Compaq, Hewlett Packard, Intel, Lucent, NEC and
Philips) supports data transfer speeds of up to 480Mbps.
V
Variant
The term variant refers to a modified version of an existing piece of malicious
code. Virus writers are often quick to create new versions of a virus, worm or
Trojan that has been ‘successful’, or if the source code for the malware has been
published.
VBS [Visual Basic Script]
VBS is a script language developed by Microsoft®. Like JavaScript is often used
in the development of web pages. For specific tasks, it’s often easier to write a
script than to use a formal programming language like ‘C’ or ‘C++’.
However, as with a formal program, it’s also possible to use VBS to create
malicious code. Since a script can be easily embedded in HTML, a virus author

53. can embed a malicious script within an HTML e-mail: and when the user reads
the e-mail, the script runs automatically.
Virus
Synonyms: Computer virus, Malicious program, Classic virus
Today the term virus is often loosely used to refer to any type of malicious
program, or is used to describe any ‘bad thing’ that a malicious program does to a
host system. Strictly speaking, however, a virus is defined as program code that
replicates.
Of course, this simple definition leaves plenty of scope for further sub-division.
Sometimes viruses are further classified by the types of object they infect. For
example, boot sector viruses, file viruses, macro viruses.
Or they may be classified by the method they use to select their host. ‘Indirect
action file viruses’ load into memory and hook into the system such that they can
infect files as they are accessed. Conversely, ‘direct action file viruses’ do not go
memory resident, simply infecting a file (or files) when an infected program is run
and then ‘going to sleep’ until the next time an infected file is run.
Another way of classifying viruses is by the techniques they use to infect. There
are ‘appending viruses’ that add their code to the end of a host file, ‘prepending
viruses’ that put their code at the start of a host file and overwriting viruses that
replace the host file completely with their own code. By contrast, companion
viruses and link viruses avoid adding code to a host file at all.
Then there are stealth viruses that manipulate the system to conceal changes they
make and polymorphic viruses that encrypt their code to make it difficult to
analyze and detect.
Of course, there are also viruses that fail to work: they either fail to infect or fail
to spread. Such would-be viruses are sometimes referred to as ‘wanabees’.

54. Virus definition
Synonyms: Virus signature
Virus definitions (or signatures) contain a unique sequence of bytes used by an
anti-virus program to identify each piece of malicious code. Signature analysis is
one of the key methods used to find and remove malicious code.
VoIP [Voice over IP]
VoIP is a technology that lets subscribers to the VoIP service make telephone
calls using a computer network that supports IP [Internet Protocol]. VoIP converts
the analog signal used in a converntional telephone, into a digital signal that can
be carried over the Internet in packets (and converts it back again at the other
end).
This means that users with a broadband Internet connection can replace their
existing telephone connection with VoIP. Some VoIP services only allow
telephone calls to people using the same service. Others allow calls to any
number. Some VoIP services work just through the computer. Others require a
special VoIP telephone or a VoIP adapter fitted to a conventional telephone.
VPN [Virtual Private Network]
A VPN is used to provide remote users with secure access to the private network
of a corporation or other organization, over the Internet (rather than using an
expensive dedicated leased line). Privacy is maintained by implementing
encryption and other security features, preventing unauthorized access to the
private network.
Vulnerability
A vulnerability is a bug or security flaw in an application or operating system that
provides the potential for a hacker or virus writer to gain unauthorized access to,
or use of, a user’s computer. The hacker does this by writing specific exploit code.

55. Once a vulnerability has been discovered (either by the developer of the software
or someone else) the vendor of the application typically creates a ‘patch’ or ‘fix’
to block the security hole. As a result, vendors, security experts and virus writers
are engaged in a never-ending race to find vulnerabilities first.
During recent years, the time-lag between the discovery of a vulnerability and the
creation of exploit code that makes use of it has diminished. The worse-case
scenario, of course, is a so-called ‘zero-day exploit’, where the exploit appears
immediately after the vulnerability has been discovered. This leaves almost no
time for a vendor to create a patch, or for IT administrators to implement other
defensive measures.
W
War chalking
War chalking refers to the act of walking round a city or town to locate wireless
access points, or ‘hot spots’, in order to gain unauthorized access to unsecured
wireless networks. It is so-called from the act of indicating the hot-spot using a
chalk mark.
War driving
War driving refers to the act of driving round a city or town to locate wireless
access points, or ‘hot spots’, in order to gain unauthorized access to unsecured
wireless networks. The specific process of mapping Bluetooth devices is referred
to as ‘war nibbling’.
Web browser
A web browser is an application that lets a user access and display content from
the World Wide Web.
Whitelist

56. Used as one method of filtering spam, a whitelist provides a list of legitimate email addresses or domain names: all messages from whitelisted addresses or
domains are automatically passed through to the intended recipient.
WiFi
Synonyms: Wireless network
WiFi (short for ‘wireless fidelity’) is the name commonly given to wireless
networks that conform to the 802.11 specification laid down by IEEE [Institute of
Electrical and Electronic Engineers]. WiFi provides for fast data transfer rates (up
to 11Mbs) and has become increasingly popular in recent years. Today, many PCs
and mobile devices are fitted with wireless cards that enable them to connect to a
wireless network. WiFi has become a more common way of connecting to a
network and wireless access points, or ‘hot spots’, can be found in businesses,
homes, hotels, airports and even fast food outlets.
By design, no wires are required to connect to a wireless network. If the wireless
network is unsecured, it can be accessed easily by hackers or other users wishing
to obtain free Internet access: so-called ‘war driving’ or ‘war chalking’.
WildList
The WildList was established in July 1993 by anti-virus researcher Joe Wells, was
subsequently published monthly by the WildList Organization and is now
published by ICSA Labs (part of TrueSecure Corporation). It aims to keep track
of which viruses are spreading in the real world (the WildList FAQ cites the
WildList as ‘the world’s authority on which viruses users should really be
concerned with’).
Detection of 'in the wild' viruses, as defined by the WildList, has become the de
facto measure by which anti-virus products are judged. Fee-based anti-virus
certification tests, most notably ICSA Labs. and West Coast Labs, are based on
detection of WildList samples. In addition, the Virus Bulletin ‘VB100%’ is
awarded on the basis of a product's ability to detect WildList viruses.

57. However, in today’s wired world, there’s a higher risk of being hit by new
malware, with around 80% of new malicious programs being found in the field,
not just in so-called ‘zoo’ collections. As a result, the WildList has become
somewhat outmoded as a measure of the real threat.
World Wide Web
The World Wide Web (or WWW for short) was developed by Tim Berners-Lee, a
British software consultant who was looking for a way to track associations
between pieces of information using a computer (much like a thesaurus does
manually). His initial program for doing this was called ‘Enquire’, developed in
the 1980s.
He subsequently developed the idea, and the standards, to allow the sharing of
data across the Internet. He created HTML as the standard method for coding web
content. He designed an addressing scheme (contained in the URL) for locating
web content. And he created HTTP as the protocol for transferring web content
across the Internet.
The World Wide Web as we now know it appeared in 1991 and has grown
exponentially since. Tim Berners-Lee founded the World Wide Web Consortium
[the W3C], the body that sets WWW standards. The W3C defines the World Wide
Web as ‘the universe of network-accessible information, an embodiment of
human knowledge’.
Worm
Synonyms: Computer worm, Email worm, Internet worm, Network worm
Worms are generally considered to be a subset of viruses, but with key
differences. A worm is a computer program that replicates, but does not infect
other files: instead, it installs itself on a victim computer and then looks for a way
to spread to other computers.

58. From a user’s perspective, there are observable differences. In the case of a virus,
the longer it goes undetected, the more infected files there will be on the victim
computer. In the case of a worm, by contrast, there is just a single instance of the
worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added
to existing files on the disk.
Like viruses, worms are often sub-divided according to the means they use to
infect a system. E-mail worms are distributed as attachments to e-mail messages,
IM worms are attached to messages sent using instant messaging programs (such
as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread.
Network worms spread directly over the LAN [Local Area Network] or across the
Internet, often making use of a specific vulnerability.
The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel
Shockwave Rider. The hero, a talented programmer, created self-replicating
computer programs that tunneled their way through a worldwide network.
X
xx-bit processor
Computer processors are often defined in terms of the ‘word’ size they can
handle. In computing, the term ‘word’ refers to the block of data (specified in
number of bits) that can be manipulated in a single clock cycle.
So a 16-bit processor has a word size of 16 bits, a 32-bit processor has a word size
of 32-bits and a 64-bit processor has a word size of 64-bits. From this, it’s clear
that a 64-bit processor is able to handle more data in the same clock cycle and is
therefore more efficient.
Newer processors are backwardly compatible. 64-bit processors, for example, are
able to detect 16-bit and 32-bit applications and process them appropriately.

59. Z
Zero-day exploit
A zero-day exploit is one where an exploit written to take advantage of a bug or
vulnerability in an application or operating system appears immediately after the
vulnerability has been discovered. This leaves almost no time for a vendor to
create a patch, or for IT administrators to implement other defensive measures.
Zoo
The term zoo refers to malicious code that has not been seen in the field. Antivirus vendors include detection for such malicious code, since there’s no way of
knowing if it will spread successfully in the future.
downloaded/created/modified by
allfaishalloriginall@yahoo.co.id
0857 3024 5131
(and may be) then uploaded and shared by
http://my.opera.com/allfaishall / http://faishalhimawan.wordpress.com /
http://download-writing.blogspot.com
http://emha2indonesia.multiply.com
/ http://faishalhimawan.blogspot.com
/
http://ebookzfaishal.blogspot.com
/
/
http://www.4shared.com/u/stmmkqg/969d0e36/httpmyoperacomallfaishall.html /
http://www.4shared.com/u/vmgtpgt/7cedb28d/httpmyoperacomallfaishall.html
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Contemplation Every Day, Contemplation Never Die
Melangkah adalah Tanah, Merenung adalah Gunung
(Quotes originally by Faishal Himawan Emkai)
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
File Checked by
Kaspersky Anti-Virus 7 (KAV 7) - Database Published: 12/12/2008