Glossary

Terms you will run into across the specimens. Not exhaustive, updated as new entries demand.

Boot sector: The first physical sector of a floppy disk or hard drive, loaded into memory at startup. Boot sector viruses replace this code so they execute before the operating system, then chain back to the original boot routine.
COM file: A simple DOS executable format limited to 64 KB and loaded directly into memory at offset 0x100. COM files were the easiest infection target in early DOS viruses because of their flat layout.
EXE file: The structured DOS executable format with a relocation header. Infecting EXE files required parsing and adjusting the header, which made EXE infectors slightly more sophisticated than COM infectors.
TSR: Terminate and Stay Resident. A DOS program that exits to the command prompt but leaves part of itself in memory, hooking interrupts so it can intercept future system calls. Most early viruses were TSRs.
Interrupt 21h: The MS-DOS API gateway. Almost every file operation flowed through INT 21h, so a virus that hooked it could intercept opens, reads, writes, and executions for the entire system.
Payload: The visible or destructive action a virus performs once its trigger condition is met, separate from its replication code. Payloads ranged from harmless animations to disk wipes.
Trigger: The condition that activates a payload. Common triggers included specific dates, keystroke counts, file counts reached, or random chance per execution.
Polymorphic: A virus that mutates its own code on each infection so that no two copies look the same to a signature scanner. Pioneered by Tequila and the Mutation Engine, polymorphism reshaped antivirus research in the early 1990s.
Stealth: Techniques used by viruses to hide their presence from the operating system, typically by intercepting file size and content reads so infected files appear unchanged on inspection.
Encrypted virus: A virus whose body is stored in scrambled form and decrypted at runtime by a small loader. The loader varies even when the body does not, an early step toward full polymorphism.
Dropper: A small program whose only job is to install a virus onto a system. Droppers themselves are not always self-replicating.
Variant: A modified version of an existing virus, often produced by a different author who reverse engineered the original. Many famous virus 'families' are really collections of variants on a single ancestor.
Family: A group of related viruses sharing a common ancestor and a recognizable code lineage. Jerusalem, Stoned, and Cascade are families with dozens of variants each.
VX scene: The loose underground community of virus writers, traders, zine publishers, and antivirus researchers that flourished from roughly 1990 through the early 2000s. Most were teenagers swapping samples through BBSes.
40Hex: An influential virus zine published by the Phalcon/Skism group from 1991 to 1995. Issues featured source code, technical articles, and scene gossip.
First generation: An original copy of a virus written by its author, before it has replicated through any host system. First generation samples are valued by researchers because they are uncorrupted by later mutations.