previous page: 23  What is an ANSI bomb? (Computer virus)
page up: Computer Viruses FAQ
next page: 25  What are the symptoms and indications of a virus infection? (Computer virus)

24 Miscellaneous Jargon and Abbreviations (Computer virus)


This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.

24 Miscellaneous Jargon and Abbreviations (Computer virus)

AV = antivirus. A commonly used shorthand on Virus-L/comp.virus, as in
"av software".

BSI = Boot Sector Infector: a virus that takes control when the computer
attempts to boot. These are found in the boot sectors of floppy disks,
and the MBRs or boot sectors of hard disks (see B4 for more details).
BSIs are also known as BSVs (Boot Sector Viruses).

CMOS = Complementary Metal Oxide Semiconductor: A memory area that is
used in AT class, and higher, PCs for storage of system information.
CMOS is battery backed RAM (see below), originally used to maintain date
and time information while the PC was turned off. CMOS memory is not in
the normal CPU address space and cannot be executed (see E2 for further
discussion of issues concerning CMOS memory and viruses).

DBS = DOS Boot Sector: The first sector of a logical DOS partition on a
hard disk or the first absolute sector of a diskette. This sector
contains the startup code that actually loads DOS. This is often
confused with the MBR. Some boot sector viruses infect the DBS rather
than the MBR when infecting hard disks.

DETECTION = The ability of an antivirus program to detect that a virus
is present, without necessarily reporting which particular virus it is
(also see IDENTIFICATION and RECOGNITION, in this section).

DOS = Disk Operating System. We use the term "DOS" to mean any of the
MS-DOS, PC-DOS, DR DOS or Novell DOS systems for PCs and compatibles,
even though there are operating systems called "DOS" on other, unrelated

GERM = The first generation of a virus. It normally cannot be produced
again during the replication process and is usually created by compiling
the source of the virus.

GOAT FILES = Programs which usually do nothing special (e.g., just exit,
or simply display a message), that are used by antivirus researchers to
capture samples of viruses. This is done to make it easier to
disassemble and understand the virus, because the infected "goat"
program is (usually) simple and does not clutter the disassembly.
Alternative terms are BAIT FILES, DECOY FILES and VICTIM FILES. In any
of these terms, the word "programs" often replaces the word "files".

IDENTIFICATION = The ability of an antivirus program (usually a scanner)
to not only detect the virus and recognize it by name, but also to
recognize it to a high degree of uniqueness. This allows third parties
to understand which particular virus it is without seeing a sample of
the virus. EXACT IDENTIFICATION occurs when every section of the non-
modifiable parts of the virus body are uniquely identified. ALMOST
EXACT IDENTIFICATION occurs if the identification is only good enough to
ensure that an attempt to remove the virus will not result in damage to
the host object by the use of an inappropriate disinfection method (also
see DETECTION and RECOGNITION, in this section).

MBR = Master Boot Record: the first absolute sector (track 0, head 0,
sector 1) on a PC hard disk, that usually contains the partition table
but on some PCs may only contain a boot sector. The MBR is also known
as the MBS (Master Boot Sector). This is *not* the same as the DOS Boot
Sector, logical sector 0 (see above).

PARTITION TABLE = A 64-byte data structure that defines the way a PC's
hard disk is divided into logical sections known as partitions. While
there is often more than one partition table on a PC's hard disk, the
most important is the one stored *in* the MBR. This one contains
important extra information such as which partition (if any) should be
booted from. The partition table is purely data, so is not executed.
Some people erroneously use the term "partition table virus" as a
synonym for "MBR virus".

RAM = Random Access Memory: the place programs are loaded into in order
to execute; the significance for viruses is that, to be active, they
must load themselves into part of the RAM. However, some virus scanners
may declare that a virus is active when it is found in RAM, even though
it may only be left in a buffer area following a disk read operation,
rather than truly being active (see C8 for further discussion of this

RECOGNITION = The ability of an antivirus program (usually a scanner) to
detect a virus and to recognize it by name (also see DETECTION and
IDENTIFICATION, in this section).

TARGETING VIRUS = A virus that tries to bypass or hinder the operation
of one or more *specific* antivirus programs. Also known as RETALIATOR,

SCAN STRING = A sequence of bytes (characters) that occur in a known
virus but not, one hopes, in legitimate programs. Some scanners allow
"wildcards"--positions that are matched by any character--in their scan
strings. Authors of virus scanners reduce the likelihood of false
positives (see B7) by carefully selecting their scan strings and often
by only searching "likely" parts of target files.

SEARCH STRING = A synonym for scan string.

SIGNATURE = A poor synonym for scan string. We recommend that you avoid
using this term and use "scan string" or "search string" instead.

TOM = Top Of Memory: the end of conventional memory--an architectural
design limit--at the 640KB mark on most PCs. Some early PCs may not
have a full 640KB, but the amount of memory is always a multiple of
64KB. A boot-record virus on a PC typically resides just below this
mark and changes the value which will be reported for the TOM to the
location of the beginning of the virus so that it won't be overwritten.
Checking this value for changes can help detect a virus, but there are
also legitimate reasons why it may change (see C10). A very few PCs
with unusual configurations or memory managers may report in excess of

TSR = Terminate but Stay Resident: these are PC programs that stay in
memory while you continue to use the computer for other purposes; they
include pop-up utilities, network software, and the great majority of
common viruses. These can often be seen using utilities such as MEM and

VX = Virus eXchange. A shorthand usually reserved for those BBSes and
FTP sites, and their community of users, that make their virus
collections "openly" available for downloading. Exchange of virus
samples between bona fide members of the antivirus community is not
tagged with the VX label.


Continue to:

previous page: 23  What is an ANSI bomb? (Computer virus)
page up: Computer Viruses FAQ
next page: 25  What are the symptoms and indications of a virus infection? (Computer virus)