This chapter covers the various types of malware you must know for the CompTIA A+ 220-1102 exam, including viruses, worms, Trojans, ransomware, spyware, rootkits, and more. Understanding malware types and removal is critical because security is a major domain on the exam, comprising about 25% of questions. You will learn how each malware type works, how to identify infections, and the proper removal procedures. Mastery of these concepts is essential not only for the exam but for real-world IT support roles.
Jump to a section
Imagine your computer is a secure office building. Malware is like a person who sneaks in dressed as a delivery driver (social engineering), finds an unlocked door (vulnerability), and then hides in the break room (system file). Different malware types act like different kinds of intruders: a virus is like someone who attaches a harmful note to every document they touch, infecting others who read it; a worm is like a person who duplicates their keycard and passes copies to everyone in the building, spreading without any help; a Trojan is like someone who pretends to be a maintenance worker but actually steals valuables; ransomware is like a hostage-taker who locks the server room and demands payment for the key; spyware is like a hidden camera recording everything you type; rootkits are like intruders who take over the security guard's uniform and badge, so they can move freely without suspicion. Just as a building needs layered security—locks, guards, cameras, and employee training—a computer needs antivirus, firewalls, updates, and user awareness to prevent, detect, and remove these threats.
What is Malware?
Malware (malicious software) is any software intentionally designed to cause damage, steal data, or disrupt operations. For the 220-1102 exam, you must recognize the characteristics of each major type and know the appropriate removal steps. Malware can enter a system through email attachments, downloads, removable media, network exploits, or social engineering.
Virus
A virus is a self-replicating program that attaches itself to a legitimate executable file or script. It requires human action to spread, such as opening an infected file or running a program. When the host file is executed, the virus code runs, often modifying other files or system areas. Viruses can be further classified as: - Boot sector virus: Infects the Master Boot Record (MBR) or Volume Boot Record (VBR). It loads before the OS, making removal difficult. - File infector virus: Attaches to .exe or .com files. - Macro virus: Written in macro language (e.g., VBA) embedded in documents like Word or Excel. Common in Office files. - Polymorphic virus: Changes its code signature each time it replicates to evade antivirus detection. - Stealth virus: Hides its presence by intercepting system calls to antivirus software.
Worm
A worm is similar to a virus but can spread without human intervention. It exploits network vulnerabilities or uses email to replicate. Worms consume bandwidth and system resources, often causing network slowdowns. Example: the Blaster worm (2003) exploited a Windows RPC vulnerability (MS03-026). Worms are self-contained and do not need to attach to a host file.
Trojan
A Trojan (Trojan horse) disguises itself as legitimate software but contains malicious code. Unlike viruses and worms, Trojans do not self-replicate. They often create backdoors for remote access, steal passwords, or download additional malware. Common types: - Remote Access Trojan (RAT): Provides attacker with control over the victim's system (e.g., PoisonIvy, DarkComet). - Banking Trojan: Steals financial credentials (e.g., Zeus, SpyEye). - DDoS Trojan: Uses infected systems in a botnet to launch distributed denial-of-service attacks.
Ransomware encrypts files or locks the system and demands payment (usually cryptocurrency) for decryption. It often spreads via phishing emails or exploit kits. Notable examples: CryptoLocker, WannaCry (2017), Ryuk. Some variants also threaten to publish stolen data (doxware). Removal involves isolating the system, but decryption may be impossible without backups.
Spyware
Spyware secretly monitors user activity and collects personal information. It can log keystrokes (keyloggers), capture screenshots, track browsing habits, or steal credentials. Spyware often comes bundled with free software. It may be hard to detect because it runs in the background. Removal requires specialized anti-spyware tools.
Adware
Adware automatically displays or downloads advertising material. While not always malicious, it can be intrusive and degrade performance. Some adware includes spyware components. It often changes browser settings, injects ads, or redirects searches.
Rootkit
A rootkit is a collection of tools that provides administrator-level access while hiding its presence. It modifies the operating system to conceal processes, files, and registry keys. Rootkits can reside in kernel mode (kernel rootkit) or user mode. They are extremely difficult to detect because they subvert system calls. Detection often requires booting from a trusted medium (e.g., a live CD) and using rootkit scanners. Removal may require a full OS reinstall.
Botnet
A botnet is a network of infected computers (bots or zombies) controlled by a command-and-control (C&C) server. The attacker (bot herder) can use the botnet for DDoS attacks, spam campaigns, or cryptocurrency mining. Botnets often use IRC, HTTP, or peer-to-peer protocols for communication. Infected systems may show increased network activity.
Logic Bomb
A logic bomb is malicious code that triggers when a specific condition is met, such as a date or user action. It is often planted by disgruntled employees. The payload can delete files, corrupt data, or disable systems. Detection is difficult because the code lies dormant until triggered.
Keylogger
A keylogger records every keystroke made on a system, capturing passwords, credit card numbers, and other sensitive data. It can be hardware-based (physical device between keyboard and computer) or software-based (runs as a process). Software keyloggers often hook into the keyboard driver or use API hooks.
Cryptominer
Cryptomining malware uses the victim's CPU/GPU resources to mine cryptocurrencies without consent. It can degrade performance and increase electricity costs. Some variants are browser-based (cryptojacking scripts) or executable files.
Rogue Security Software
Also called scareware, this malware pretends to be antivirus or security software and displays fake alerts claiming the system is infected. It then demands payment to remove nonexistent threats. It often uses aggressive pop-ups and may lock the browser.
Malware Infection Vectors
Email attachments: Phishing emails with infected attachments (e.g., .docm, .exe, .zip).
Downloads: Infected software from untrusted sites.
Removable media: USB drives with autorun.inf or infected files.
Network exploits: Worms exploiting unpatched services.
Social engineering: Tricking users into running malicious code.
Drive-by downloads: Visiting a compromised website that automatically downloads malware.
Malware Removal Process (CompTIA A+ Recommended Steps)
Identify symptoms: Slow performance, pop-ups, unexpected network activity, file changes, disabled security tools.
Quarantine the system: Disconnect from the network to prevent spread.
Disable System Restore: Prevents restoring infected files.
Boot into Safe Mode: Limits malware from loading.
Run antivirus/anti-malware scans: Use updated tools like Windows Defender, Malwarebytes.
Use specialized removal tools: For specific malware (e.g., Kaspersky TDSSKiller for rootkits).
Check for rootkits: Use a rootkit scanner or boot from rescue media.
Restore files from backup: If ransomware encrypted files.
Update software and OS: Patch vulnerabilities.
Educate the user: Prevent future infections.
Prevention
Keep OS and software updated.
Use reputable antivirus and firewall.
Be cautious with email attachments and links.
Avoid downloading from untrusted sources.
Enable User Account Control (UAC).
Use strong passwords and multi-factor authentication.
Regularly back up important data.
Exam Tips
Know the difference between virus, worm, and Trojan: virus needs host, worm self-propagates, Trojan disguises.
Ransomware often uses encryption; decryption may not be possible.
Rootkits require boot-time scanning or reinstall.
Adware and spyware often come bundled; removal tools like AdwCleaner are useful.
Botnets are used for DDoS and spam; infected systems may have high bandwidth usage.
Rogue security software uses scare tactics.
Cryptominers cause high CPU usage.
Always disable System Restore before removal to avoid reinfection.
Safe Mode loads minimal drivers; some malware may still load.
For stubborn malware, use a bootable rescue disk.
Identify Malware Symptoms
The first step is recognizing signs of infection. Common symptoms include: system slowdown, frequent crashes, unexpected pop-ups, browser redirects, disabled security software, unusual network activity, and new unknown files. On the exam, you may be given a scenario describing these symptoms. For example, a user reports that their antivirus is disabled and they cannot re-enable it—this is a classic sign of malware (often a Trojan or rootkit). Document all symptoms to guide removal.
Quarantine the Infected System
Immediately disconnect the computer from the network (unplug Ethernet or disable Wi-Fi) to prevent malware from spreading to other devices or communicating with a command-and-control server. If the malware is ransomware, this may also prevent further encryption of network shares. For removable media, disconnect any USB drives. In a corporate environment, you may also disable the user's network port at the switch.
Disable System Restore
System Restore can contain infected restore points. If you clean the system and then restore from an infected point, the malware returns. Right-click 'This PC' > Properties > System Protection > Configure > Disable System Protection. On Windows 10/11, you can also use the System Protection tab to delete all restore points. This step is critical before scanning.
Boot into Safe Mode
Safe Mode loads only essential drivers and services, which prevents many types of malware from starting. To boot into Safe Mode, press F8 during startup (legacy) or use Shift + Restart from the login screen. In Safe Mode, you can run antivirus scans without interference. Some rootkits may still load in Safe Mode; for those, use a rescue disk.
Run Antivirus and Anti-Malware Scans
Use updated scanning tools. For the exam, know Windows Defender (now Microsoft Defender Antivirus) and third-party tools like Malwarebytes. Perform a full scan, not a quick scan. If malware is detected, choose to quarantine or delete. After removal, run a second scan to ensure the system is clean. For stubborn infections, use offline scanning with Windows Defender Offline or a bootable rescue disk.
Restore Files from Backup
If malware (especially ransomware) has encrypted or deleted files, restore them from a known clean backup. Ensure the backup is offline or disconnected during the restoration to avoid reinfection. If no backup exists, data loss may be permanent. On the exam, the correct answer for ransomware is often 'Restore from backup' rather than paying the ransom.
Enterprise Scenario 1: Ransomware Attack on a Hospital
A hospital's IT department receives alerts of encrypted files on multiple servers. The ransomware (e.g., Ryuk) has spread via phishing emails. The incident response team immediately isolates affected systems by disabling network ports at the switch. They do not pay the ransom. Instead, they restore servers from offline backups (taken daily). Endpoints are wiped and reimaged. The root cause is traced to a user who opened a malicious macro in a Word document. Post-incident, the hospital enforces macro security policies, deploys email filtering, and conducts user awareness training. The exam may ask about the first step—quarantine—or the best recovery method—backups.
Enterprise Scenario 2: Botnet Infection in a Corporate Network
A company notices unusual outbound traffic from several workstations to an unknown IP address. The security team identifies a botnet infection (e.g., ZeroAccess). The malware was installed via a Trojan downloaded from a fake software site. The team uses endpoint detection and response (EDR) tools to isolate the hosts. They run rootkit scanners and remove the malware. The command-and-control server is blocked at the firewall. Affected systems are rebuilt from a clean image. The exam might test knowledge of botnet indicators: high network traffic, unknown processes, and firewall logs showing connections to suspicious IPs.
Enterprise Scenario 3: Rootkit on a Point-of-Sale System
A retail chain's POS system is compromised with a kernel rootkit that steals credit card data. The rootkit hides its process from Task Manager. Standard antivirus scans fail to detect it. The IT team boots from a trusted Linux live USB and runs a rootkit scanner (e.g., chkrootkit). They find the rootkit in the MBR. The solution is to wipe the hard drive and reinstall the OS from a known clean source. The exam may emphasize that rootkits often require boot-time scanning or a full reinstall.
Exam Focus for 220-1102 Domain 2.1 (Malware Types and Removal)
The CompTIA A+ 220-1102 exam tests your ability to identify malware types and apply the correct removal procedures. This falls under Objective 2.1: 'Identify common security threats and vulnerabilities.' Expect 2-3 questions directly on malware types and removal steps. Key points:
1. Common Wrong Answers and Why Candidates Choose Them - Paying the ransom for ransomware: Candidates think this is the quickest fix. Wrong—there is no guarantee the attacker will decrypt files, and it encourages more attacks. The correct answer is to restore from backup. - Running antivirus in normal mode: Candidates may not know to boot into Safe Mode first. In normal mode, malware can hide from scanners. Always boot into Safe Mode or use offline scanning. - Reinstalling the OS immediately: While effective, it is not the first step. The exam expects a methodical approach: quarantine, disable restore, safe mode, scan. Reinstall is a last resort. - Disabling System Restore after scanning: Candidates may skip this step. If you scan and then restore, malware returns. Disable System Restore first.
2. Specific Numbers and Values - Know that ransomware often demands payment in Bitcoin. - WannaCry used the EternalBlue exploit (MS17-010). - CryptoLocker was a prominent ransomware in 2013. - Rootkits often target the MBR or kernel. - Polymorphic viruses change their code signature every replication. - Macro viruses are common in Office documents (.docm).
3. Edge Cases and Exceptions - Some malware (e.g., rootkits) can survive Safe Mode. In such cases, use a bootable rescue disk (e.g., Windows Defender Offline). - Ransomware may also delete backups if they are accessible from the infected system—always keep offline backups. - Spyware and adware often come bundled with free software; users must read installation prompts carefully. - Logic bombs are often planted by insiders; they trigger on specific conditions (e.g., employee termination date).
4. How to Eliminate Wrong Answers - If a question asks for the first step, look for 'disconnect from network' or 'quarantine.' - If a question asks about removing malware, ensure the answer includes 'Safe Mode' or 'boot into Safe Mode.' - If a question mentions 'encrypted files,' the answer is likely ransomware; the solution is restore from backup. - If a question describes hidden processes or files, think rootkit; removal often requires boot-time scanning or reinstall.
Malware types for 220-1102: virus, worm, Trojan, ransomware, spyware, adware, rootkit, botnet, logic bomb, keylogger, cryptominer, rogue security software.
Viruses require a host and human action; worms self-propagate; Trojans disguise as legitimate software.
Ransomware recovery: restore from backup; never pay the ransom.
Rootkits hide deep in the OS; removal often requires boot-time scanning or full reinstall.
Malware removal steps: quarantine, disable System Restore, boot into Safe Mode, run scans, restore from backup if needed.
Phishing emails are a common vector for malware; never open unknown attachments.
Keep software updated to patch vulnerabilities exploited by worms and other malware.
Use offline backups to protect against ransomware that can delete online backups.
These come up on the exam all the time. Here's how to tell them apart.
Virus
Requires a host file to attach to.
Needs human action (e.g., opening file) to spread.
Often spreads via infected email attachments or downloads.
Can be file infector, boot sector, or macro.
Removal: antivirus scan in Safe Mode.
Worm
Self-contained; does not need a host file.
Spreads automatically without user intervention.
Exploits network vulnerabilities or uses email to replicate.
Consumes network bandwidth and system resources.
Removal: patch vulnerability, antivirus scan, network isolation.
Ransomware
Encrypts files or locks the system.
Demands payment for decryption.
Often spreads via phishing emails or exploit kits.
Removal: isolate, restore from backup; paying not recommended.
May also steal data (doxware).
Spyware
Monitors user activity and collects data.
Does not encrypt files or demand ransom.
Often bundled with free software or installed via drive-by download.
Removal: anti-spyware tools, browser reset, removal of suspicious programs.
Can include keyloggers and screen capture.
Mistake
Antivirus software can remove all types of malware.
Correct
Antivirus is effective against many viruses, worms, and Trojans, but rootkits and some ransomware may evade detection. Specialized tools or boot-time scans are needed for rootkits. Ransomware may require file restoration from backup, not just antivirus removal.
Mistake
Paying the ransom guarantees you get your files back.
Correct
There is no guarantee. Attackers may take the money and not provide decryption keys, or the decryption may fail. Law enforcement recommends not paying. The correct approach is to restore from backups.
Mistake
Malware only enters through the internet.
Correct
Malware can also spread via removable media (USB drives), infected software installations, network shares, or even physical access. The exam includes scenarios with USB autorun infections.
Mistake
Safe Mode prevents all malware from loading.
Correct
Safe Mode loads minimal drivers, but some rootkits and kernel-level malware can still load. For stubborn infections, use a bootable rescue disk or offline scanning.
Mistake
A virus and a worm are the same thing.
Correct
A virus requires a host file and human action to spread. A worm is self-contained and self-propagates using network vulnerabilities or email. Worms do not need to attach to files.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The first step is to quarantine the system by disconnecting it from the network. This prevents the malware from spreading to other devices and stops communication with command-and-control servers. On the exam, always choose 'disconnect from network' or 'isolate the system' as the initial action.
No, you should not pay the ransom. There is no guarantee the attacker will decrypt your files, and paying encourages further attacks. The correct response is to restore files from a clean backup. If no backup exists, data may be lost. Law enforcement advises against paying.
Rootkits are difficult to remove because they hide from the OS. Standard antivirus may not detect them. Use a bootable rescue disk (e.g., Windows Defender Offline) or a specialized rootkit scanner (e.g., Kaspersky TDSSKiller). In many cases, the safest option is to back up data and perform a clean OS reinstall.
A virus attaches to a host file and requires user action (e.g., opening an infected file) to spread. A worm is a standalone program that self-replicates and spreads automatically, often exploiting network vulnerabilities. Worms do not need a host file or user interaction.
System Restore can contain infected restore points. If you remove the malware and later restore from an infected point, the malware returns. Disabling System Restore deletes all restore points, ensuring the system starts clean after removal.
A Trojan horse is malware that disguises itself as legitimate software. Unlike viruses and worms, it does not self-replicate. It often creates backdoors (Remote Access Trojan), steals data (banking Trojan), or downloads other malware. Trojans rely on users willingly installing them.
Prevention includes: keeping OS and software updated, using reputable antivirus and firewall, being cautious with email attachments and links, avoiding downloads from untrusted sources, enabling User Account Control (UAC), using strong passwords, and regularly backing up data. User education is key.
You've just covered Malware Types and Removal — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?