Also known as a browser add-on.
ActiveX controls give you extra features in
Internet Explorer, such as automatic updates and website animations. Some websites will ask you to install an
ActiveX control when you visit.
Malware can take advantage of
ActiveX controls. Cybercriminals can make malicious
ActiveX controls to download and run programs on your PC.
browser helper object.
|Advanced persistent threat (APT)||
A targeted attack against a specific entity that tries to avoid detection and steal information over a period of time. Usually, the attacker behind the APT will use several pieces of malware and security technologies to build up an attack.
Software that shows you extra promotions that you cannot control as you use your PC. You wouldn't see the extra ads if you
didn't have adware installed.
We give all the
malware that we detect an
alert level. This level depends on how easily the
malware can spread and the potential damage it can do. The different
alert levels are explained in the following webpages:
A different name for the same
Malware names can differ from one security provider to another.
Stands for "
Application programming interface".
APIs are used to access common, low-level functions. Programmers can use APIs to easily access these functions when
they develop their software.
|Authenticated user||Someone who has signed in to a website or logged on to a PC or network with the correct user name or password.|
A loophole or
vulnerability that lets a malicious hacker use a program on your PC without needing a user name or password.
A type of
trojan that gives a malicious hacker access to and control of your PC. This means they may be able to tell your PC what to do or
monitor what you do online. A
bot is a type of
|Behavior||A type of detection based on file actions that are often associated with malicious activity.|
|Behavior monitoring signature||
A type of
signature that is based on behaviors or activity that is commonly used for malicious purposes, such as renaming folders
or creating certain types of shortcuts.
|Blackhat SEO (search engine optimization)||
A unfair way to make some pages appear higher in a list of search engine results. Unlike normal
search engine optimization (SEO),
blackhat SEO is considered deceitful and unethical.
A form of digital currency. You can use
bitcoins to buy things online or exchange them for real money. All transactions made in the
Bitcoin system are tracked and stored for everyone else to see.
bitcoins are created by
bitcoin mining. Anyone using the
bitcoin system can mine by running special software on their PC.
Bitcoin mining software needs a lot of processing power and can slow down the PC that's running it.
Small, hidden programs that are often controlled by a malicious hacker.
Bots can be installed on your PC without you knowing.
Bots on a large number of PCs can be connected to form a
When multiple copies of a
bot are installed on many PCs and controlled by a malicious hacker. The malicious hacker can use a
botnet for large attacks (such as
DDoS attacks or "
floods") that wouldn't be possible if they used just one PC.
|Browser helper object (BHO)||Internet Explorer uses
BHOs to give you added features as you browse the web.
Malware authors can try and take advantage of
BHOs to install malicious files on your PC.
You can learn how to turn browser helper objects off from
|Browser modifier||A program than makes changes to your Internet browser without your permission.|
When a malicious hacker tries to guess your user name and password. This is usually done automatically by
malware that uses a large list of very common words and numbers. This is one of the reasons why it's important to
have a strong password that can't be guessed. Read more tips about
creating strong passwords.
A technique used by some
malware to cause an error in a program and make it easier to run malicious code.
Completely Automated Public Turing test to tell Computers and Humans Apart.
CAPTCHAs are puzzles that are easy to solve for a human, but hard for a computer. They are usually used by web pages
to test if you are a person or a computer program. Most
CAPTCHAs use a distorted image of letters and numbers that you must type into a text box.
A type of infection where a
virus finds a gap in a file and inserts itself into it. This means the file stays the same size and the
virus is harder to find. This technique can modify the original file beyond repair.
malware or unwanted software from your PC. A single cleaning can involve several
disinfections with your security software.
|Clean file||A file that has been analyzed and determined as non-malicious.|
When a malicious hacker makes money by using your PC to click ads. The malicious hacker uses malware to do this in the background,
so you won't see it happening. The MMPC blog post
"Another way Microsoft is disrupting the malware ecosystem" explains how click fraud works.
|Command and control server||
The server from which an operator controls the bot nodes in a
botnet. This server acts as the command center for the network.
A website that includes malicious pages or links to malicious content. A website can be compromised with or without the
website owner knowing about it. Compromised websites can be used to spread
malware to unsuspecting visitors.
A program that can be used to automatically create
|Content delivery network (CDN)||A service used to cache pages from a website on a number of servers so that they can be viewed faster.|
A piece of information that is sent from a website to your internet browser when you visit it for the first time. The
cookie is stored in your web browser and tells the website about your last visit.
Cookies are often used by online shopping websites to keep track of your habits and suggest other items for you to
buy. Sometimes a
cookie includes sensitive information that may be read and stolen by
Cookies are also known as
HTTP cookies or
|Cross-site request forgery (CSRF or XSRF)||
A loophole or
vulnerability that lets a malicious hacker pretend to be a trusted user of a website. The website will then let the malicious hacker do
things that they shouldn't have permission to do.
|Cross-site scripting (XSS)||When a malicious hacker inserts malicious code into a trusted website.|
A tool that can protect software from being reverse-engineered or analyzed.
Malware may use a
cryptor to make it harder for your security software to detect or analyze it.
When someone registers, trades or uses a website name to profit from a trademark that belongs to someone else.
distributed denial of service. When a number of PCs are made to access a website, network or server repeatedly within
a given time period. The aim of the attack is to overload the target so that it crashes and can't respond. This means it
won't work for any legitimate users.
DDoS attacks can involve multiple computers that have been infected with
denial of service|
A set of
signatures that our security software uses to identify
malware. Other security software vendors may call definitions something different, such as
DAT files, pattern files, identity files, or antivirus databases.
|Dialer||A program that makes unauthorized telephone calls. These calls may be charged at a premium rate and cost you a lot of money.|
malware or unwanted software from a PC.
Stands for Domain Name System server. It translates the alphanumeric domain name (for example, "www.microsoft.com") into
the IP address for that name (for "www.microsoft.com", the IP address is "220.127.116.11").
|Domain authentication||When you are checked and verified as a legitimate user so you can see and access a website.|
denial of service. When a target PC or server is deliberately overloaded so that it doesn't work for any visitors
anymore. There are a number of different types of attack that may result in a denial of service.
A loophole or
vulnerability in the way a program writes to memory. It can be used by some
malware to infect your PC.
A type of
trojan that downloads other
malware onto your PC. The downloader needs to connect to the Internet to download the files.
The automatic or accidental download of
malware from the Internet. For example, when you agree to a license agreement without reading it properly. Some
malware can also use
vulnerabilities or loopholes in your web browser to automatically download files when you visit a compromised website.
A type of
trojan that installs other
malware files onto your PC. The other
malware is included within the trojan file. This is different to a
downloader , which needs to connect to the Internet to download other files.
Stands for the
European Institute for Computer Antivirus Research.
EICAR provides a file that can be used to see if your antivirus software is installed and working properly. There
is more information on the
The percentage of PCs running Microsoft real-time security products that report a malware encounter, even if the encounter
is blocked and doesn’t result in a malware infection. Only users who have opted to provide data to Microsoft are considered
when calculating encounter rates.
A way of making readable information unreadable. Encrypted information can't be understood until it is decrypted using a
Malware can use encryption to hide its code and make detection and removal more difficult.
A piece of code that uses software
vulnerabilities to access information on your PC or install
malware. For more information, see our page on
A program or device that monitors and controls the flow of information between two points. For example, between your computer
and the Internet.
malware technique that can steal your website sign in information or change the web content that you see.
A type of
malware signature that can detect a large variety of
malware that are in the same family or of a similar type.
|Hacktool||A type of tool that can be used to allow and maintain unauthorized access to your PC.|
A type of
buffer overflow that can change the way a program behaves.
vulnerability used by some
malware to insert malicious code into your computer's memory.
A tool or technique that can help identify common patterns. This can be useful for making
generic detections for a
When a communication channel is taken over by a malicious hacker. For example, when a malicious hacker gets access to your
web browsing session.
A fake email that warns you about
malware. The email may include instructions that actually install
malware onto your PC.
A website or part of a network that security researchers set up in the hopes of observing malware authors or attackers. This helps the researchers to provide stronger protection against the malware in-the-wild.
A legitimate file that tells your PC what webpage to go to when you type a URL into your Internet browser. Some
malware can change the file to redirect you to a malicious website without you realizing.
inline frame. A section of a webpage, like an advertisement, that links to another webpage.
Malware can use
IFrames to put malicious content into trusted websites. This could look like an advertisement, but it downloads
malware or unwanted software when you click on it.
|Improper authentication||When a program doesn't believe that you are who you say you are when you try to make changes to your PC.|
|Improper error handling||
A loophole or
vulnerability where an application doesn't handle errors properly and fails. This can be exploited by some
|Improper input validation||
vulnerability when a form isn't validated properly and may allow unintentional actions to happen.
|In the wild||Malware that currently infects and affects users' computers. This is opposed to
malware that we have seen only in internal test environments or
A program that may have been mistakenly classified as
malware or unwanted software. You can report an incorrect detection using our
Incorrect detection report form.
virusadds its code to another file to help it spread its code to other files and PCs.
|Infection chain||A series of actions that result in your PC getting infected. Infection chain details can include the way a threat arrives on your PC - such as a spam email campaign, as well as the way malware families are interrelated - such as malware that downloads other threats.|
The number of PCs cleaned for every 1,000 unique machines that run the
Malicious Software Removal Tool (MSRT).
A type of software loophole or
vulnerability that allows information to be shared when it shouldn't be.
A type of program that inserts its code into other running processes.
Malware can use code injection to hide or prevent its removal.
A lack of memory that can lead to a
A software loophole or
vulnerability that can create errors in a program because information isn't written properly.
|Integer overflow||When a program creates a larger number than its code can represent. This can create errors within the program.|
A program that pretends to do something malicious but actually doesn't actually do anything harmful. For example, some joke
programs pretend to delete files or format disks.
A tool that can be used to generate license keys for legitimate software.
Also known as keystroke logging. Software that records which keys you press.
A feature in
Internet Explorer that disables an
A form of digital currency similar to
|Least-privilege user account (LUA)||
An account on your PC that has very few permissions so it can't be used to change any settings.
user account control.
A type of
virus that spreads through infected documents such as
Microsoft Word or
Excel documents. The
virus is run when you open an infected document.
|Malformed input||An application command that is different to what was expected or has invalid information in it.|
Short for malicious software. The general name for programs that perform unwanted actions on our PC, such as stealing your
personal information. Some
malware can steal your banking details, lock your PC until you pay a ransom, or use your PC to send
trojans are all types of
|Malware creation tool||
A program that can be used to automatically create
|Man-in-the-browser (MITB) attack||
A type of web-based threat where a malicious program makes changes to a website without the website owner knowing it is
|Man-in-the-middle (MITM) attack||
A form of eavesdropping in which a malicious hacker gets in the middle of network communications. The malicious hacker can
then manipulate messages or gather information without the people doing the communication knowing.
|Memory reallocation||When information stored in a computer program is overwritten before it's used. This can cause errors in the program.|
|Memory resident||A threat that continues to run and take up space until your PC is restarted.|
|Microsoft Word global template||
Microsoft Word feature that stores
AutoText entries, and the custom toolbar, menu, and shortcut key settings so that you can use them with any document.
|Misleading||The program that makes misleading or fraudulent claims about files, registry entries or other items on your PC.|
A commercial program that monitors what you do on your PC. This can include monitoring what keys you press; your email or
instant messages; your voice or video conversations; and your banking details and passwords. It can also take screenshots
as you use your PC.
mutual exclusion object. Some
malware can create a
mutex as a sign that it has infected your PC. This stops it from infecting your PC twice.
|Network packet||A unit of data carried over a network.|
A type of
cross-site scripting. The link to the
malware is stored on a server and followed when you visit the infected website.
|NTFS file system||
Stands for new technology file system, a system used by
An abbreviation of the term
'NT loader'. The set of instructions that run every time the
Windows NT operating system is started.
To hide or make unclear. Some
malware hides its code in this way to make it harder for security software to detect or remove it. We call this type
A type of
malware that hides its code and purpose to make it more difficult for security software to detect or remove it.
A program that lets you bundle files together into the same download. This can be used by
malware authors to hide
malware files and make them harder to detect.
A type of
malware that is used steal your personal information, such as user names and passwords. It often works along with
keylogger that collects and sends information about what keys you press and websites you visit to a malicious hacker.
The actions taken by a piece of
malware once it is installed on your PC. For example, this can include downloading files, changing your PC settings,
displaying messages and watching what keys you press.
A way to trick you into giving out your personal or financial information. Phishers may use phony websites or email messages
that look like they are from a trusted businesses. Their goal is to get you to reveal your personal information, such as
your user names, passwords, or credit card numbers.
|Polymorphic||Malware that can change parts of itself to avoid detection by security software.
vulnerability that lets someone do things on your PC, network or server that they otherwise wouldn't be able to.
|Proof-of-Concept (PoC) code||
Code that's written to prove that a particular method of
malware attack can work.
|Program||Software that you may or may not want installed on your PC.|
A server that sits between you and the server you are trying to reach. A
proxy server tries to answer your request before passing it on to the actual server you are trying to reach. They
can be used to filter and store online content, handle frequent requests more quickly, or hide someone's identity.
A type of
malware that can stop you from using your PC, or encrypt your files so you can’t use them. You may be warned that
you need to pay money, complete surveys, or perform other actions before you can use your PC again. For more information,
Ransomware that is relatively easy to use for attackers, as they can inititate a ransomware attack without having to code or design their own malware. Cerber is considered 'ransomware-as-a-service'. For more information,
A set of tactics and techniques that APT actors use to gather information about how to best conduct an attack against a target (for example, by finding out what vulnerabilities can be exploited on the target’s network).
When your PC is infected with
malware again after it has been cleaned. Reinfection usually happens when your security software isn't up to date,
or if the
malware isn't being removed fully. There is more information on our
reinfection help page.
|Remote Access Tool (RAT)||A program that can be used by a remote hacker to gain access and control of an infected machine.|
|Remote code execution (RCE)||When a malicious hacker runs code on your PC without having actual physical access to it.|
|Remote control software||
A program that gives someone access to your PC from a remote location. This type of program is often installed by the computer
owner. They are only a risk if they are unexpected.
|Remote procedure call (RPC)||A communication tool that helps processes on your computer to share information.|
|Resident||Malware that continuously runs on your PC. This happens when a copy of the
malware makes changes to your PC so that it runs every time the PC starts up.
|Rogue security software||
Software that pretends to be an antivirus program but doesn't actually provide any security. This type of software usually
gives you a lot of alerts about threats on your PC that don't exist. It also tries to convince you to pay for its services.
rogue security software page has more information.
A program that is designed to hide itself and other
malware from detection while it makes changes to your PC. These changes are hard to detect and fix. There is
more information on our rootkits page.
A type of
Script, PowerShell, Perl, Python and Shell Scripting.
|Search engine optimization (SEO)||
The process of increasing the ranking and popularity of a webpage in search engine results. Usually, the higher a web page
is in the list of results, the more likely that someone will visit it.
vulnerability that lets a malicious hacker get past a program's security.
|Sender ID framework||
Technology that helps fight
spam, spoofing, and phishing emails. It checks that an email comes from where it says it does. This helps stop deceptive
|Settings modifier||A program that changes your PC settings.|
|Shell||The program that gives your commands to your computer's operating system.|
The payload that is run after
exploited a software
A signature is a set of characteristics that we use to identify a piece of
malware. Signatures are used by security software to automatically decide if a file is malicious or not.
A method of attack that targets people rather than software.
Social engineering is designed to trick you into doing something that benefits the malicious hacker, such as opening
or downloading a
malware file or giving away your personal information. It can be online, such as an email that tricks you into opening
an attachment, or offline, such as a phone call from with someone pretending to be from your bank. However social engineering
happens, its purpose is the same – to get you to do something that a malicious hacker wants you to do.
A program that installs unwanted software on your PC at the same time as the software you are trying to install, without
Bulk unwanted email.
Spam can be used to spread
malware, either as an email attachment or with a hyperlink that redirects you to an infected webpage. Some
malware can collect email addresses for spamming from infected PCs, or use infected computers to send
A bulk round of
spam run can describe a single round of
spam emails sent from the same server, or groups of
spam emails on the same theme, for example Valentine's Day
trojan that sends large numbers of
spam emails. It may also describe the person or business responsible for sending
|Spear-phishing||Phishing that is targeted at a specific person or group. See also: whaling.
A type of attack where a message is made to look like it comes from a trusted source. For example, an email that looks like
it comes from a legitimate business, but is actually trying to spread
A type of
trojan that makes fake emails that look like they are from a legitimate source.
When a malicious hacker mimics someone else. For example, when they create a website that looks the same as a legitimate
website to try and trick people into using it.
|Spyware||A program that collects your personal information, such as your browsing history, and uses it without adequate consent.|
A type of
malwareattack where SQL code is put into an ordinary web form. If the code is run it can cause significant information
|Stack-based buffer overflow||
A common type of
buffer overflow that allows
malware code to run on your PC.
A way of hiding a threat, file or process. One form of stealth can be a redirect that makes it hard to look at a malicious
file or piece of code because you are sent to a clean location instead.
|Support scam malware||
A program or script that displays messages that urge you to contact fake tech support phone number. The messages can include fake error messages (including blue screen error messages). See our Support scam malware page for more information.
A malware attack against a specific group of companies or individuals. This type of attack usually aims to get access to
the PC or network, before trying to steal information or disrupt the infected machines.
A type of software that may have a legitimate purpose, but which may also be abused by
A type of
malware. A trojan is a program that tries to look innocent, but is actually a malicious application. Unlike a
virus or a
worm , a trojan doesn't spread by itself. Instead they try to look innocent to convince you to download and install them. Once
installed, a trojan can steal your personal information, download more
malware, or give a malicious hacker access to your PC.
A type of
trojan that can use your PC to "click" on websites or applications. They are usually used to make money for a malicious hacker
by clicking on online advertisements and making it look like the website gets more traffic than it does. They can also be
used to skew online polls, install programs on your PC, or make unwanted software appear more popular than it is.
A type of
trojan that installs other malicious files, including
malware, onto your PC. It can download the files from a remote PC or install them directly from a copy that is included
in its file.
A type of
trojan that sends information about your PC to a malicious hacker. It is similar to a
A type of
trojan that installs a
proxy server on your PC. The server can be configured so that when you use the Internet, any requests you make are sent
through a server controlled by a malicious hacker.
|TrojanSpy||A program that collects your personal information, such as your browsing history, and uses it without adequate consent.|
A form of
cybersquatting where someone registers a domain name of a popular website, with small misspellings. For example,
vulnerability where data is stored to a program's memory incorrectly. This can cause errors in the program.
vulnerability where memory on your PC can't be written over. This can create errors that can be exploited by
vulnerability when a program is pointed to write to an invalid memory location. This can create errors in a program.
|Uninitialized variable||A common source of software bugs that results in an error.|
|Unrestricted upload of a file with a dangerous type||
A type of
vulnerability where software allows a malicious hacker to upload malicious files onto your PC. These files can be automatically installed
and run on your PC.
A program that you may not want installed on your PC, or that may have already been installed without adequate consent from
you. Unwanted programs may impact your privacy, security, or computing experience.
|Use after free||When a program's code points to memory that has since been cleared. This can cause the program to fail or behave unexpectedly.|
|User account control (UAC)||
Also known as least-privilege user account. Gives you control of what changes someone can make to your PC. You can use UACs
to make it harder for
malware to install and run. For example, you can make it so that someone can't install any software or drivers when
they use your PC. You can also block them from changing system wide settings, viewing or changing other user accounts, or
running administrative tools.
|User elevation||When someone is using your PC with higher privileges than they should have.|
A detection that is used mostly for malware components, or tools used for malware-related actions, such as
A copy of a complete PC in a self-contained and isolated environment. Virtual machines let you run otherwise incompatible
operating systems, as each system can run in its own isolated section. For example, running Mac OS X on a
A type of
Viruses spread on their own by attaching their code to other programs, or copying themselves across systems and networks.
A flaw or error in a program that may allow a malicious hacker to exploit it for a malicious purpose. Once known, software
vulnerabilities are usually quickly patched by their vendor. You must then update your software to be protected. For more
information, see our page on
A specific website that malware authors or attackers have identified as being visited by their target. The attacker infects the site in the hope that the target will be infected when they go there.
A collection of
malware that is used to test the performance of antimalware software.
|Whaling||Spear-phishing that is aimed at a specific person at a high level within an organisation, such as a manager, Chief Executive Officer (CEO), or Chief Security Officer (CSO).
A type of
malware that spreads to other PCs.
Worms may spread using one or more of the following methods:
- Email programs:
Within an attachment or as a link within an email message.
- Instant messaging programs:
By sending an instant message that includes a copy of itself, using programs such as
Windows Live Messenger or
- File-sharing programs:
By creating copies of itself in the common download/upload folders of file-sharing or peer-to-peer programs.
Worms will often use the names of popular software or games as a
social engineering technique.
- Social networking sites
By automatically sending messages to all of your contacts on a social networking website, such as
Twitter. The message usually has a link to a copy of the
- Network shares:
Through network shares and mapped drives. Some
worms can spread by creating copies of themselves in shared folders. If these folders are password-protected, some
worms may try to access them using commonly user names and passwords.
Removable drives with
By copying itself to removable drives such as flash drives and portable hard disks.
Worms that use this method of spreading are called
Autorunworms because they usually install a file called
autorun.inf. This file lets the
worm automatically copy itself when you access the drive and have the
Autorun feature turned on.
Autorun is the same feature that automatically plays music or installs software when you insert a
USB flash drive.
- Software vulnerabilities:
vulnerability in your software. Some
worms use vulnerabilities in
Windows services to spread to other PCs and to communicate with each other. This means a clean PC that communicates
with an infected PC can become infected.
A folder where you can put the worksheets that you would like to automatically open when you start
Excel. The folder is usually stored in
A type of
vulnerability that allows a malicious hacker to change an
A software exploit that hasn’t been disclosed or patched by the software vendor.