Chapter 41 Β· Glossary

Viruses and Worms Glossary

Key terms for understanding how viruses replicate, the four virus types, fileless attacks, and how worms spread.

Virus
A type of malware that replicates itself by attaching copies of its code to other files, programs, or storage locations. The defining characteristic is that a virus requires some form of user interaction to activate β€” executing a program, opening a document, running a script, or booting from infected media. Once activated, the virus copies itself to spread further. Viruses may cause visible damage immediately or operate silently in the background. Detection relies on antivirus signature matching against known virus patterns.
Program Virus
A virus that attaches itself to an executable file or application (.exe, .com, or similar). When the infected program is launched by the user, the virus code executes alongside the legitimate application and copies itself into other executables on the file system or accessible network shares. Program viruses are the "classic" virus type β€” the infection is tied directly to running an infected program. Also called file infector viruses.
Boot Sector Virus
A virus that infects the boot sector of a storage device β€” the section of a hard drive, USB drive, or other storage medium that contains the code executed first when a computer starts. Boot sector viruses activate before the operating system loads, meaning OS-level security tools are not yet running when the virus executes. They spread by copying themselves to the boot sector of any connected storage device. Historically significant on floppy disks; modern variants target hard drives and USB drives.
Script Virus
A virus written in a scripting language supported by an operating system or web browser β€” such as JavaScript, VBScript, Python, or PowerShell. Script viruses execute when the browser renders a compromised web page, when an OS-level script is run, or when a malicious script is embedded in an email. Because scripts are text files (not compiled binaries), they can be harder to identify with signature-based scanning and can spread via web content, email, and shared script files.
Macro Virus
A virus written in the macro language of an application β€” most commonly Microsoft Office applications (Word, Excel, PowerPoint). The virus is embedded within a document file as a macro. When the user opens the infected document and macros execute, the virus runs and typically copies itself into other documents or the application's default template (e.g., Normal.dot in Word), so every new document the user creates inherits the infection. Macro viruses spread rapidly in organizations where documents are shared.
Fileless Virus (Fileless Malware)
A sophisticated malware type that operates entirely in system memory (RAM) without writing malicious files to disk. Because traditional antivirus software scans files stored on disk, fileless malware evades signature-based detection. It typically exploits a browser or plugin vulnerability to gain initial access, then uses legitimate system tools (most commonly PowerShell or WMI) to execute malicious code in memory. To survive reboots, it adds a registry autostart entry that re-triggers the in-memory execution chain. Detected through behavioral monitoring (EDR), not file scanning.
PowerShell (in Fileless Attacks)
PowerShell is a legitimate Windows administration scripting tool that fileless malware commonly abuses. Because PowerShell is built into Windows and trusted by the OS, malicious scripts passed to it via command-line arguments execute without triggering file-based antivirus alerts. A fileless attack may: (1) launch PowerShell with a malicious script encoded in the command arguments; (2) have PowerShell download additional scripts from the attacker's server and run them in memory; (3) use PowerShell to perform actions like data exfiltration, credential theft, or installing additional payloads β€” all without writing malicious files to disk.
Registry Autostart (Fileless Persistence)
A Windows registry key that causes a program or command to run automatically at system startup. Fileless malware typically stores a single autostart entry in the registry β€” the minimal disk-resident artifact β€” that re-triggers the in-memory malware chain every time the system reboots. The registry value itself looks like a legitimate system command, making it easy to overlook. Common autostart registry locations include HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the equivalent HKLM paths. Registry analysis is a key step in fileless malware investigation.
Antivirus Signature File
A database of known malware patterns (signatures) that antivirus software uses to identify malicious files. When a file is scanned, its code is compared against the signature database. A match triggers a detection alert. Because thousands of new virus variants are created weekly, signature files must be updated frequently β€” outdated signatures cannot detect variants released after the last update. Signature-based detection is effective against known threats but blind to zero-day malware and fileless attacks that do not write recognizable patterns to disk.
Worm
A type of malware that self-replicates and spreads automatically across networks without any user interaction. This distinguishes worms from viruses: a worm does not need a human to execute a program or open a file. It scans the network for systems with exploitable vulnerabilities, exploits them autonomously, installs itself, and immediately continues scanning for more targets. Worms spread at network speed and can compromise thousands of systems in minutes on a flat, unsegmented network. Worms often carry payloads (ransomware, backdoors) delivered to every system they infect.
EternalBlue
A Windows exploit targeting the SMB (Server Message Block) network protocol β€” the service Windows uses for file sharing and printer sharing between networked computers. EternalBlue was developed by the U.S. National Security Agency, stolen, and publicly leaked in 2017. It allows an attacker to remotely execute code on a vulnerable Windows system with no user interaction required β€” the system only needs to be reachable on the network. EternalBlue was the exploit used by the WannaCry worm to self-propagate and by other subsequent attacks. Microsoft released a patch (MS17-010) two months before WannaCry launched.
WannaCry
A 2017 global cyberattack that combined a worm with a ransomware payload. The worm component used EternalBlue to automatically propagate across networks to unpatched Windows systems. On each infected system, it installed a backdoor and deployed ransomware that encrypted the user's data files. The ransomware demanded Bitcoin payment for decryption. WannaCry infected over 200,000 systems in 150 countries within days β€” including UK National Health Service hospitals. A Microsoft patch available two months prior would have blocked the EternalBlue exploit on every affected system.
IDS/IPS (Worm Context)
Intrusion Detection Systems and Intrusion Prevention Systems that monitor network traffic for patterns consistent with worm activity. Worms exhibit distinctive behaviors: rapid scanning of IP address ranges looking for vulnerable ports, repeated connection attempts to the same port across many hosts, and high-volume identical traffic patterns as they replicate to new targets. IDS alerts on this behavior; IPS actively blocks it. Effective at the network perimeter and between segments β€” but once a worm is inside a segment with no IPS between hosts, internal spread is limited only by patching and host-based firewalls.
Network Segmentation (Worm Context)
Dividing a network into separate segments with controlled communication between them, limiting a worm's ability to spread beyond the segment where it first appears. On a flat network with no segmentation, a worm can reach every host. With segmentation, a worm that enters a workstation network cannot automatically reach production servers or other VLANs. Network segmentation is the primary architectural defense against worm propagation once a worm is already inside the network perimeter. It does not prevent the initial infection but contains the blast radius.