Term Description
ActiveX control Also known as a browser add-on. ActiveX controls give you extra features in Internet Explorer, such as automatic updates and website animations. Some websites will ask you to install an ActiveX control when you visit. Malware can take advantage of vulnerabilities in ActiveX controls. Cybercriminals can make malicious ActiveX controls to download and run programs on your PC. See also: browser helper object.
Advanced persistent threat (APT) A targeted attack against a specific entity that tries to avoid detection and steal information over a period of time. Usually, the attacker behind the APT will use several pieces of malware and security technologies to build up an attack.
Adware Software that shows you extra promotions that you cannot control as you use your PC. You wouldn't see the extra ads if you didn't have adware installed.
Alert level We give all the malware that we detect an alert level. This level depends on how easily the malware can spread and the potential damage it can do. The different alert levels are explained in the Understanding alert levels page.
Alias A different name for the same malware. Malware names can differ from one security provider to another.
API Stands for " Application programming interface". APIs are used to access common, low-level functions. Programmers can use APIs to easily access these functions when they develop their software.
Authenticated userSomeone who has signed in to a website or logged on to a PC or network with the correct user name or password.
Authentication bypass A loophole or vulnerability that lets a malicious hacker use a program on your PC without needing a user name or password.
Backdoor trojan A type of trojan that gives a malicious hacker access to and control of your PC. This means they may be able to tell your PC what to do or monitor what you do online. A bot is a type of backdoor trojan.
BehaviorA type of detection based on file actions that are often associated with malicious activity.
Behavior monitoring signature A type of signature that is based on behaviors or activity that is commonly used for malicious purposes, such as renaming folders or creating certain types of shortcuts.
Blackhat SEO (search engine optimization) A unfair way to make some pages appear higher in a list of search engine results. Unlike normal search engine optimization (SEO), blackhat SEO is considered deceitful and unethical.
Bitcoins A form of digital currency. You can use bitcoins to buy things online or exchange them for real money. All transactions made in the Bitcoin system are tracked and stored for everyone else to see.
Bitcoin mining New bitcoins are created by bitcoin mining. Anyone using the bitcoin system can mine by running special software on their PC. Bitcoin mining software needs a lot of processing power and can slow down the PC that's running it.
Bot Small, hidden programs that are often controlled by a malicious hacker. Bots can be installed on your PC without you knowing. Bots on a large number of PCs can be connected to form a botnet.
Botnet When multiple copies of a bot are installed on many PCs and controlled by a malicious hacker. The malicious hacker can use a botnet for large attacks (such as DDoS attacks or " floods") that wouldn't be possible if they used just one PC.
Browser helper object (BHO)Internet Explorer uses BHOs to give you added features as you browse the web. Malware authors can try and take advantage of BHOs to install malicious files on your PC. You can learn how to turn browser helper objects off from Microsoft support .
Browser modifierA program than makes changes to your Internet browser without your permission.
Brute force When a malicious hacker tries to guess your user name and password. This is usually done automatically by malware that uses a large list of very common words and numbers. This is one of the reasons why it's important to have a strong password that can't be guessed. Read more tips about creating strong passwords.
Buffer overflow A technique used by some malware to cause an error in a program and make it easier to run malicious code.
CAPTCHA Stands for Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHAs are puzzles that are easy to solve for a human, but hard for a computer. They are usually used by web pages to test if you are a person or a computer program. Most CAPTCHAs use a distorted image of letters and numbers that you must type into a text box.
Cavity infection A type of infection where a virus finds a gap in a file and inserts itself into it. This means the file stays the same size and the virus is harder to find. This technique can modify the original file beyond repair.
Clean To remove malware or unwanted software from your PC. A single cleaning can involve several disinfections with your security software.
Clean fileA file that has been analyzed and determined as non-malicious.
Click fraud When a malicious hacker makes money by using your PC to click ads. The malicious hacker uses malware to do this in the background, so you won't see it happening. The MMPC blog post "Another way Microsoft is disrupting the malware ecosystem" explains how click fraud works.
Command and control server The server from which an operator controls the bot nodes in a botnet. This server acts as the command center for the network.
Compromised website A website that includes malicious pages or links to malicious content. A website can be compromised with or without the website owner knowing about it. Compromised websites can be used to spread malware to unsuspecting visitors.
Constructor A program that can be used to automatically create malware files.
Content delivery network (CDN)A service used to cache pages from a website on a number of servers so that they can be viewed faster.
Cookie A piece of information that is sent from a website to your internet browser when you visit it for the first time. The cookie is stored in your web browser and tells the website about your last visit. Cookies are often used by online shopping websites to keep track of your habits and suggest other items for you to buy. Sometimes a cookie includes sensitive information that may be read and stolen by malware. Cookies are also known as HTTP cookies or tracking cookies.
Cross-site request forgery (CSRF or XSRF) A loophole or vulnerability that lets a malicious hacker pretend to be a trusted user of a website. The website will then let the malicious hacker do things that they shouldn't have permission to do.
Cross-site scripting (XSS)When a malicious hacker inserts malicious code into a trusted website.
Cryptor A tool that can protect software from being reverse-engineered or analyzed. Malware may use a cryptor to make it harder for your security software to detect or analyze it.
Cybersquatting When someone registers, trades or uses a website name to profit from a trademark that belongs to someone else. See also: typosquatting.
DDoS Stands for distributed denial of service. When a number of PCs are made to access a website, network or server repeatedly within a given time period. The aim of the attack is to overload the target so that it crashes and can't respond. This means it won't work for any legitimate users. DDoS attacks can involve multiple computers that have been infected with malware. See also: denial of service
Definition A set of signatures that our security software uses to identify malware. Other security software vendors may call definitions something different, such as DAT files, pattern files, identity files, or antivirus databases.
DialerA program that makes unauthorized telephone calls. These calls may be charged at a premium rate and cost you a lot of money.
Disinfect To remove malware or unwanted software from a PC. See also: clean.
DNS server Stands for Domain Name System server. It translates the alphanumeric domain name (for example, "") into the IP address for that name (for "", the IP address is "").
Domain authenticationWhen you are checked and verified as a legitimate user so you can see and access a website.
DoS Stands for denial of service. When a target PC or server is deliberately overloaded so that it doesn't work for any visitors anymore. There are a number of different types of attack that may result in a denial of service. See also: DDoS.
Double-free condition A loophole or vulnerability in the way a program writes to memory. It can be used by some malware to infect your PC.
Downloader A type of trojan that downloads other malware onto your PC. The downloader needs to connect to the Internet to download the files.
Drive-by download The automatic or accidental download of malware from the Internet. For example, when you agree to a license agreement without reading it properly. Some malware can also use vulnerabilities or loopholes in your web browser to automatically download files when you visit a compromised website.
Dropper A type of trojan that installs other malware files onto your PC. The other malware is included within the trojan file. This is different to a downloader , which needs to connect to the Internet to download other files.
EICAR Stands for the European Institute for Computer Antivirus Research. EICAR provides a file that can be used to see if your antivirus software is installed and working properly. There is more information on the EICAR website .
Encounter rate The percentage of PCs running Microsoft real-time security products that report a malware encounter, even if the encounter is blocked and doesn’t result in a malware infection. Only users who have opted to provide data to Microsoft are considered when calculating encounter rates.
Encryption A way of making readable information unreadable. Encrypted information can't be understood until it is decrypted using a secret key. Malware can use encryption to hide its code and make detection and removal more difficult.
Exploit A piece of code that uses software vulnerabilities to access information on your PC or install malware. For more information, see our page on exploits.
Firewall A program or device that monitors and controls the flow of information between two points. For example, between your computer and the Internet.
Form grabbing A malware technique that can steal your website sign in information or change the web content that you see.
Generic A type of malware signature that can detect a large variety of malware that are in the same family or of a similar type.
HacktoolA type of tool that can be used to allow and maintain unauthorized access to your PC.
Heap overflow A type of buffer overflow that can change the way a program behaves.
Heap spraying A vulnerability used by some malware to insert malicious code into your computer's memory.
Heuristics A tool or technique that can help identify common patterns. This can be useful for making generic detections for a malware family.
Hijacking When a communication channel is taken over by a malicious hacker. For example, when a malicious hacker gets access to your web browsing session.
Hoax email A fake email that warns you about malware. The email may include instructions that actually install malware onto your PC.
Honeypot A website or part of a network that security researchers set up in the hopes of observing malware authors or attackers. This helps the researchers to provide stronger protection against the malware in-the-wild.
Hosts file A legitimate file that tells your PC what webpage to go to when you type a URL into your Internet browser. Some malware can change the file to redirect you to a malicious website without you realizing.
IFrames Short for inline frame. A section of a webpage, like an advertisement, that links to another webpage. Malware can use IFrames to put malicious content into trusted websites. This could look like an advertisement, but it downloads malware or unwanted software when you click on it.
Improper authenticationWhen a program doesn't believe that you are who you say you are when you try to make changes to your PC.
Improper error handling A loophole or vulnerability where an application doesn't handle errors properly and fails. This can be exploited by some malware.
Improper input validation A potential vulnerability when a form isn't validated properly and may allow unintentional actions to happen.
In the wildMalware that currently infects and affects users' computers. This is opposed to malware that we have seen only in internal test environments or malware collections.
Incorrect detection A program that may have been mistakenly classified as malware or unwanted software. You can report an incorrect detection using our Incorrect detection report form.
Infection When a virusadds its code to another file to help it spread its code to other files and PCs.
Infection chainA series of actions that result in your PC getting infected. Infection chain details can include the way a threat arrives on your PC - such as a spam email campaign, as well as the way malware families are interrelated - such as malware that downloads other threats.
Infection rate The number of PCs cleaned for every 1,000 unique machines that run the Malicious Software Removal Tool (MSRT).
Information disclosure A type of software loophole or vulnerability that allows information to be shared when it shouldn't be.
Injector A type of program that inserts its code into other running processes. Malware can use code injection to hide or prevent its removal.
Insufficient bounds A lack of memory that can lead to a buffer overflow.
Insufficient validation A software loophole or vulnerability that can create errors in a program because information isn't written properly.
Integer overflowWhen a program creates a larger number than its code can represent. This can create errors within the program.
Joke program A program that pretends to do something malicious but actually doesn't actually do anything harmful. For example, some joke programs pretend to delete files or format disks.
Keygen A tool that can be used to generate license keys for legitimate software.
Keylogger Also known as keystroke logging. Software that records which keys you press. See also: password stealer.
Kill bit A feature in Internet Explorer that disables an ActiveX control.
Litecoins A form of digital currency similar to bitcoins.
Least-privilege user account (LUA) An account on your PC that has very few permissions so it can't be used to change any settings. See also: user account control.
Macro virus A type of virus that spreads through infected documents such as Microsoft Word or Excel documents. The virus is run when you open an infected document.
Malformed inputAn application command that is different to what was expected or has invalid information in it.
Malware Short for malicious software. The general name for programs that perform unwanted actions on our PC, such as stealing your personal information. Some malware can steal your banking details, lock your PC until you pay a ransom, or use your PC to send spam. Viruses , worms and trojans are all types of malware.
Malware creation tool A program that can be used to automatically create malware files.
Man-in-the-browser (MITB) attack A type of web-based threat where a malicious program makes changes to a website without the website owner knowing it is happening.
Man-in-the-middle (MITM) attack A form of eavesdropping in which a malicious hacker gets in the middle of network communications. The malicious hacker can then manipulate messages or gather information without the people doing the communication knowing.
Memory reallocationWhen information stored in a computer program is overwritten before it's used. This can cause errors in the program.
Memory residentA threat that continues to run and take up space until your PC is restarted.
Microsoft Word global template A Microsoft Word feature that stores macros, AutoText entries, and the custom toolbar, menu, and shortcut key settings so that you can use them with any document.
MisleadingThe program that makes misleading or fraudulent claims about files, registry entries or other items on your PC.
Monitoring tool A commercial program that monitors what you do on your PC. This can include monitoring what keys you press; your email or instant messages; your voice or video conversations; and your banking details and passwords. It can also take screenshots as you use your PC.
Mutex Stands for mutual exclusion object. Some malware can create a mutex as a sign that it has infected your PC. This stops it from infecting your PC twice.
Network packetA unit of data carried over a network.
Non-persistent XSS A type of cross-site scripting. The link to the malware is stored on a server and followed when you visit the infected website.
NTFS file system Stands for new technology file system, a system used by Windows NT.
NTLDR An abbreviation of the term 'NT loader'. The set of instructions that run every time the Windows NT operating system is started.
Obfuscate To hide or make unclear. Some malware hides its code in this way to make it harder for security software to detect or remove it. We call this type of malware an obfuscator.
Obfuscator A type of malware that hides its code and purpose to make it more difficult for security software to detect or remove it.
Packer A program that lets you bundle files together into the same download. This can be used by malware authors to hide malware files and make them harder to detect.
Password stealer A type of malware that is used steal your personal information, such as user names and passwords. It often works along with a keylogger that collects and sends information about what keys you press and websites you visit to a malicious hacker.
Payload The actions taken by a piece of malware once it is installed on your PC. For example, this can include downloading files, changing your PC settings, displaying messages and watching what keys you press.
Phishing A way to trick you into giving out your personal or financial information. Phishers may use phony websites or email messages that look like they are from a trusted businesses. Their goal is to get you to reveal your personal information, such as your user names, passwords, or credit card numbers.
PolymorphicMalware that can change parts of itself to avoid detection by security software.
Privilege elevation A vulnerability that lets someone do things on your PC, network or server that they otherwise wouldn't be able to.
Proof-of-Concept (PoC) code Code that's written to prove that a particular method of malware attack can work.
ProgramSoftware that you may or may not want installed on your PC.
Proxy server A server that sits between you and the server you are trying to reach. A proxy server tries to answer your request before passing it on to the actual server you are trying to reach. They can be used to filter and store online content, handle frequent requests more quickly, or hide someone's identity.
Ransomware A type of malware that can stop you from using your PC, or encrypt your files so you can’t use them. You may be warned that you need to pay money, complete surveys, or perform other actions before you can use your PC again. For more information, see our ransomware page.
Ransomware-as-a-service Ransomware that is relatively easy to use for attackers, as they can inititate a ransomware attack without having to code or design their own malware. Cerber is considered 'ransomware-as-a-service'. For more information, see our ransomware page.
Reconnaissance A set of tactics and techniques that APT actors use to gather information about how to best conduct an attack against a target (for example, by finding out what vulnerabilities can be exploited on the target’s network).
Reinfection When your PC is infected with malware again after it has been cleaned. Reinfection usually happens when your security software isn't up to date, or if the malware isn't being removed fully. There is more information on our reinfection help page.
Remote Access Tool (RAT)A program that can be used by a remote hacker to gain access and control of an infected machine.
Remote code execution (RCE)When a malicious hacker runs code on your PC without having actual physical access to it.
Remote control software A program that gives someone access to your PC from a remote location. This type of program is often installed by the computer owner. They are only a risk if they are unexpected.
Remote procedure call (RPC)A communication tool that helps processes on your computer to share information.
ResidentMalware that continuously runs on your PC. This happens when a copy of the malware makes changes to your PC so that it runs every time the PC starts up.
Rogue security software Software that pretends to be an antivirus program but doesn't actually provide any security. This type of software usually gives you a lot of alerts about threats on your PC that don't exist. It also tries to convince you to pay for its services. Our rogue security software page has more information.
Rootkit A program that is designed to hide itself and other malware from detection while it makes changes to your PC. These changes are hard to detect and fix. There is more information on our rootkits page.
Script (malware) A type of malware written using a scripting language. Common forms of scripting language include JavaScript, HTML, Visual Basic Script, PowerShell, Perl, Python and Shell Scripting.
Search engine optimization (SEO) The process of increasing the ranking and popularity of a webpage in search engine results. Usually, the higher a web page is in the list of results, the more likely that someone will visit it.
Security bypass A software vulnerability that lets a malicious hacker get past a program's security.
Sender ID framework Technology that helps fight spam, spoofing, and phishing emails. It checks that an email comes from where it says it does. This helps stop deceptive messages.
Settings modifierA program that changes your PC settings.
ShellThe program that gives your commands to your computer's operating system.
Shellcode The payload that is run after malware has exploited a software vulnerability.
Signature A signature is a set of characteristics that we use to identify a piece of malware. Signatures are used by security software to automatically decide if a file is malicious or not.
Social engineering A method of attack that targets people rather than software. Social engineering is designed to trick you into doing something that benefits the malicious hacker, such as opening or downloading a malware file or giving away your personal information. It can be online, such as an email that tricks you into opening an attachment, or offline, such as a phone call from with someone pretending to be from your bank. However social engineering happens, its purpose is the same – to get you to do something that a malicious hacker wants you to do.
Software bundler A program that installs unwanted software on your PC at the same time as the software you are trying to install, without adequate consent.
Spam Bulk unwanted email. Spam can be used to spread malware, either as an email attachment or with a hyperlink that redirects you to an infected webpage. Some malware can collect email addresses for spamming from infected PCs, or use infected computers to send spam.
Spam run A bulk round of spam. A spam run can describe a single round of spam emails sent from the same server, or groups of spam emails on the same theme, for example Valentine's Day spam.
Spammer A trojan that sends large numbers of spam emails. It may also describe the person or business responsible for sending spam.
Spear-phishingPhishing that is targeted at a specific person or group. See also: whaling.
Spoof A type of attack where a message is made to look like it comes from a trusted source. For example, an email that looks like it comes from a legitimate business, but is actually trying to spread malware.
Spoofer A type of trojan that makes fake emails that look like they are from a legitimate source.
Spoofing When a malicious hacker mimics someone else. For example, when they create a website that looks the same as a legitimate website to try and trick people into using it.
SpywareA program that collects your personal information, such as your browsing history, and uses it without adequate consent.
SQL injection A type of malwareattack where SQL code is put into an ordinary web form. If the code is run it can cause significant information loss.
Stack-based buffer overflow A common type of buffer overflow that allows malware code to run on your PC.
Stealth A way of hiding a threat, file or process. One form of stealth can be a redirect that makes it hard to look at a malicious file or piece of code because you are sent to a clean location instead.
Support scam malware A program or script that displays messages that urge you to contact fake tech support phone number. The messages can include fake error messages (including blue screen error messages). See our Support scam malware page for more information.
Targeted attack A malware attack against a specific group of companies or individuals. This type of attack usually aims to get access to the PC or network, before trying to steal information or disrupt the infected machines.
Tool A type of software that may have a legitimate purpose, but which may also be abused by malware authors.
Trojan A type of malware. A trojan is a program that tries to look innocent, but is actually a malicious application. Unlike a virus or a worm , a trojan doesn't spread by itself. Instead they try to look innocent to convince you to download and install them. Once installed, a trojan can steal your personal information, download more malware, or give a malicious hacker access to your PC.
Trojan clicker A type of trojan that can use your PC to "click" on websites or applications. They are usually used to make money for a malicious hacker by clicking on online advertisements and making it look like the website gets more traffic than it does. They can also be used to skew online polls, install programs on your PC, or make unwanted software appear more popular than it is.
Trojan downloader/dropper A type of trojan that installs other malicious files, including malware, onto your PC. It can download the files from a remote PC or install them directly from a copy that is included in its file.
Trojan notifier A type of trojan that sends information about your PC to a malicious hacker. It is similar to a password stealer.
Trojan proxy A type of trojan that installs a proxy server on your PC. The server can be configured so that when you use the Internet, any requests you make are sent through a server controlled by a malicious hacker.
TrojanSpyA program that collects your personal information, such as your browsing history, and uses it without adequate consent.
Typosquatting A form of cybersquatting where someone registers a domain name of a popular website, with small misspellings. For example, See also: cybersquatting.
Unchecked buffer A software vulnerability where data is stored to a program's memory incorrectly. This can cause errors in the program.
Uninitialized memory A software vulnerability where memory on your PC can't be written over. This can create errors that can be exploited by malware.
Uninitialized pointer A software vulnerability when a program is pointed to write to an invalid memory location. This can create errors in a program.
Uninitialized variableA common source of software bugs that results in an error.
Unrestricted upload of a file with a dangerous type A type of vulnerability where software allows a malicious hacker to upload malicious files onto your PC. These files can be automatically installed and run on your PC.
Unwanted software A program that you may not want installed on your PC, or that may have already been installed without adequate consent from you. Unwanted programs may impact your privacy, security, or computing experience.
Use after freeWhen a program's code points to memory that has since been cleared. This can cause the program to fail or behave unexpectedly.
User account control (UAC) Also known as least-privilege user account. Gives you control of what changes someone can make to your PC. You can use UACs to make it harder for malware to install and run. For example, you can make it so that someone can't install any software or drivers when they use your PC. You can also block them from changing system wide settings, viewing or changing other user accounts, or running administrative tools.
User elevationWhen someone is using your PC with higher privileges than they should have.
Virtool A detection that is used mostly for malware components, or tools used for malware-related actions, such as rootkits.
Virtual machine A copy of a complete PC in a self-contained and isolated environment. Virtual machines let you run otherwise incompatible operating systems, as each system can run in its own isolated section. For example, running Mac OS X on a Windows PC.
Virus A type of malware. Viruses spread on their own by attaching their code to other programs, or copying themselves across systems and networks.
Vulnerability A flaw or error in a program that may allow a malicious hacker to exploit it for a malicious purpose. Once known, software vulnerabilities are usually quickly patched by their vendor. You must then update your software to be protected. For more information, see our page on exploits.
Watering-hole A specific website that malware authors or attackers have identified as being visited by their target. The attacker infects the site in the hope that the target will be infected when they go there.
WildList A collection of malware that is used to test the performance of antimalware software.
WhalingSpear-phishing that is aimed at a specific person at a high level within an organisation, such as a manager, Chief Executive Officer (CEO), or Chief Security Officer (CSO).

A type of malware that spreads to other PCs. Worms may spread using one or more of the following methods:

  • Email programs: Within an attachment or as a link within an email message.
  • Instant messaging programs: By sending an instant message that includes a copy of itself, using programs such as Windows Live Messenger or Skype.
  • File-sharing programs: By creating copies of itself in the common download/upload folders of file-sharing or peer-to-peer programs. Worms will often use the names of popular software or games as a social engineering technique.
  • Social networking sites: By automatically sending messages to all of your contacts on a social networking website, such as Facebook and Twitter. The message usually has a link to a copy of the worm.
  • Network shares: Through network shares and mapped drives. Some worms can spread by creating copies of themselves in shared folders. If these folders are password-protected, some worms may try to access them using commonly user names and passwords.
  • Removable drives with Autorunenabled: By copying itself to removable drives such as flash drives and portable hard disks. Worms that use this method of spreading are called Autorunworms because they usually install a file called autorun.inf. This file lets the worm automatically copy itself when you access the drive and have the Autorun feature turned on. Autorun is the same feature that automatically plays music or installs software when you insert a CD, DVD or USB flash drive.
  • Software vulnerabilities: Through vulnerability in your software. Some worms use vulnerabilities in Windows services to spread to other PCs and to communicate with each other. This means a clean PC that communicates with an infected PC can become infected.
XLStart A folder where you can put the worksheets that you would like to automatically open when you start Excel. The folder is usually stored in %AppData% \Local\ Microsoft\Excel\XLStart.
XML injection A type of vulnerability that allows a malicious hacker to change an XML file.
Zero-day exploit A software exploit that hasn’t been disclosed or patched by the software vendor.

Latest news