Skip to main content

CompTIA A+

Malware Essentials

25 min read

CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.4 focuses on malware, software that harms a device, steals data, or takes control without permission. Malware matters because it can slow a PC, expose passwords, encrypt files for payment, or spy on daily activity. For IT support, it also drives outages, repeat tickets, and lost user trust.

In this section, you'll learn the main malware types you're expected to recognize, including Trojan, rootkit, virus, spyware, ransomware, keylogger, boot sector virus, cryptominer, stalkerware, and fileless malware. You'll also see how these threats commonly enter systems, what symptoms they cause, and why some are hard to spot.

Next, you'll review practical ways to detect and confirm an infection (for example, suspicious processes, unexpected encryption, browser changes, or abnormal CPU use). Finally, you'll cover removal and prevention steps, such as safe scanning, isolation, updates, least privilege, and user habits that reduce reinfection.

This maps directly to help desk work, like cleaning an infected PC, restoring safe access, and stopping the same malware from coming back.

How Malware Spreads

CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.4 expects you to understand what malware is and how it reaches a device. Malware is any software built to harm, spy, steal, or gain control without clear permission. In practice, it rarely "breaks in" by force. Instead, it slips in through normal actions like clicking a link, installing an app, or signing in to a fake page.

Most infections start with a weak point in either human behavior or software trust. Attackers take advantage of habits, such as rushing through prompts, reusing passwords, or assuming a familiar logo means safety. This affects Windows PCs, but it also affects Macs, Chromebooks, and especially mobile devices, where apps, profiles, and links can carry real risk.

Common ways malware spreads

Malware spreads through a few repeatable pathways. Once you know them, you start noticing patterns in real tickets and user stories.

A key idea is social engineering, which means tricking a person into doing something unsafe. It works because people rely on shortcuts, trust familiar brands, and respond fast under stress (for example, "your account will be locked in 10 minutes"). Attackers design messages to push urgency, curiosity, or fear.

Here are the most common routes:

  • Phishing links and attachments: A message (email, text, chat, or social DM) tries to get you to click a link or open a file. The link may lead to a credential-stealing page, while the attachment may run a malicious macro or drop a Trojan.
  • Drive-by downloads: A compromised site (or a risky one) triggers a download or exploit when you visit. Sometimes it abuses an unpatched browser, plug-in, or script engine.
  • Malicious ads (malvertising): Ads can redirect you to unsafe pages or push fake installers. This can happen even on legitimate sites if the ad network is abused.
  • Fake updates: Pop-ups claim your browser, Flash, antivirus, or phone is "out of date." The "update" installs malware instead.
  • Bundled installers: Free tools sometimes include extra "offers." If you click through quickly, you may install adware, spyware, or a browser hijacker along with the real program.
  • USB and removable media: A booby-trapped USB can launch malware through autorun tricks, hidden files, or user curiosity ("Payroll_Q4.xlsx.exe").
  • Stolen credentials leading to remote access: If attackers steal a password, they may not need to install anything at first. They can sign in through VPN, RDP, email, or cloud tools, then run malware after they gain a foothold.

A useful rule: many "malware infections" begin as a trust mistake, not a technical failure.

Mobile devices fit the same story. A fake QR code, a sideloaded app, a malicious profile, or a phishing page can infect or compromise a phone just as quickly as a PC.

Warning signs that point to an infection

Infections do not always look dramatic. Some malware stays quiet because attackers want time, access, and data. Still, many cases leave clues if you know what to watch for.

You are more likely to see a cluster of symptoms than a single clear sign. Common indicators include:

  • Slow performance that appears suddenly, especially after installing software or opening an attachment.
  • Pop-ups and fake alerts, including "Your device is infected" messages that push a download.
  • Browser redirects to unknown search pages, shopping sites, or scam warnings.
  • New toolbars or extensions you did not add, or a homepage you cannot change back.
  • Disabled security tools, such as antivirus turned off, updates blocked, or the firewall changed.
  • High CPU or GPU use when you are not doing heavy tasks (often linked to cryptominers).
  • Unknown startup items or scheduled tasks that reappear after you remove them.
  • Strange network traffic, such as constant outbound connections, spikes at idle, or connections to unfamiliar regions.
  • Files renamed or encrypted, plus new file extensions or ransom notes (classic ransomware behavior).
  • Unexpected MFA prompts, password reset emails, or login alerts, which can signal stolen credentials or session theft.

One caution matters for support work: these symptoms can overlap with normal issues. A slow PC might have a failing drive, too many startup apps, or low RAM. A browser redirect might be a bad extension, not a full infection.

Treat symptoms as evidence, not a verdict. Confirm with scans, logs, and known-good comparisons before you wipe or rebuild.

Why attackers use malware

Attackers write and deploy malware for clear payoffs. Most campaigns focus on money, data, access, or all three. Understanding the motive helps you predict what the malware will try to do next.

Common attacker goals include:

  • Stealing money: Banking Trojans, payment skimmers, and credential theft can lead straight to fraudulent charges or account takeovers.
  • Stealing data: Spyware and keyloggers collect logins, personal data, and business files. The victim may not notice until accounts get abused.
  • Spying and surveillance: Some threats monitor messages, location, microphone, or screen activity. On phones, this often overlaps with stalkerware.
  • Extortion: Ransomware encrypts files or locks systems, then demands payment. Many groups also steal data first and threaten to leak it.
  • Abusing resources: A cryptominer steals CPU or GPU time to mine cryptocurrency. The main "symptom" is heat, noise, and poor performance.
  • Building botnets: Malware can turn devices into remote-controlled nodes used for spam, credential stuffing, DDoS attacks, or malware hosting.
  • Gaining long-term control: Some threats aim for persistence and stealth. Rootkits and fileless malware try to hide, survive reboots, and resist removal.

These motives connect directly to what you will identify later. When you see encrypted files, think ransomware. When you see unexplained GPU load, think cryptominer. When you see silent data access and odd logins, think spyware or credential theft.

Malware Types

For CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.4, you need to recognize common malware types and connect each one to real symptoms. Names matter on the exam, but patterns matter even more in support work. When you can match a symptom to a malware family, you choose better next steps, such as what to isolate, what to scan first, and what evidence to preserve.

Viruses and boot sector viruses

A virus is malware that attaches to a legitimate file (or program area) and spreads when that infected host runs. This is the key difference from many other threats. A Trojan can arrive as a standalone fake app, but a virus depends on a host file and user execution. As a result, viruses often spread through shared files, email attachments, and removable media when users run what looks normal.

In practice, classic file-infecting viruses are less common today than they were years ago. Modern attackers often prefer ransomware or credential theft because those pay faster. Still, the virus concept remains testable, and you can still see "virus-like" behavior in the wild, such as malware that injects into processes or modifies executable files to persist.

A boot sector virus targets the early startup area of a disk (historically the MBR, and conceptually the boot code that runs before the operating system fully loads). Because that code runs at boot, infection can stop a PC from starting or can load malicious code before security tools even begin. Even with modern UEFI and Secure Boot reducing risk, the exam expects you to understand why boot-level malware is disruptive: it sits at the front of the line.

Common clues that fit viruses and boot sector viruses include:

  • Corrupted boot process: boot loops, "missing operating system" messages, or failures right after POST.
  • Unexpected disk errors: sudden file system warnings, read errors, or repeated disk checks on startup.
  • Modified system files: protected files failing integrity checks, strange file hashes, or system tools crashing.

When symptoms appear before the OS loads, suspect boot-related issues first, including boot-level malware, misconfigured boot order, or disk failure. Your job is to separate evidence from assumptions.

Trojans, rootkits, and fileless malware

A Trojan is malware that pretends to be legitimate. It may arrive as a "free" utility, a fake update, a cracked app, or a document that asks the user to enable macros. Unlike a virus, a Trojan does not need to attach to other files to qualify as a Trojan. The trick is social, not technical, because it relies on the victim's trust.

A rootkit focuses on stealth and control. It hides itself and often hides other threats, which makes detection and removal harder. Some rootkits operate at a deep level, such as the kernel, where they can intercept system calls and mask files, processes, or registry entries. The practical impact is simple: you may see strong signs of compromise, yet your security tools report "nothing found."

Fileless malware describes threat activity that lives in memory and uses trusted tools already on the system instead of dropping obvious executable files. Attackers often abuse built-in components like PowerShell, WMI, scheduled tasks, or Office scripting. The device can look "clean" on disk while the attacker still runs commands, steals data, or moves laterally.

These three categories overlap in real incidents. A Trojan might install a rootkit, and the rootkit may support fileless techniques for persistence. When that happens, symptoms often point to abuse of normal admin features, not to a single bad file.

Look for these simple clues:

  • Admin tools running at odd times, such as PowerShell activity late at night on a user PC.
  • Security logs cleared or audit settings changed without a valid change ticket.
  • Strange scheduled tasks with random names, odd triggers, or hidden settings.
  • Security software can't see the cause, even though the system acts compromised (browser hijacks, account lockouts, new local admins).

A useful mental model is camouflage. Trojans wear a mask, rootkits hide in the shadows, and fileless malware blends into normal system behavior. Therefore, good triage includes checking event logs, task scheduler entries, and EDR alerts, not only running a quick scan.

Spyware, keyloggers, and stalkerware

Spyware collects information without clear consent. It may track browsing, capture credentials, read messages, or gather device details for profiling. Some spyware is "commercial" in name only, since it crosses into theft once it runs without informed permission. On endpoints, spyware often arrives through bundled installers, fake browser extensions, or trojanized apps.

A keylogger captures keystrokes to steal usernames, passwords, and other sensitive text. Many keyloggers are software, yet hardware keyloggers also exist (for example, a small device placed between a keyboard plug and a PC). That hardware angle matters for troubleshooting, because wiping the OS will not remove a physical implant.

Stalkerware is a form of surveillance software used to monitor a person, often installed by someone close to the victim. It may track location, texts, call logs, photos, or social activity.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account