Why Malware Types Matter on the CompTIA A+ Exam
If you’re studying for the CompTIA A+ 220-1202 exam, understanding malware types is non-negotiable. The Security domain makes up 26% of your Core 2 score, and malware identification is one of the most consistently tested areas within it. With a passing score of 700 out of 900 and up to 90 questions to answer in 90 minutes, you can’t afford to guess on questions about malware types for CompTIA A+. Let’s break this down so you know exactly what the exam tests — and how to recognize each threat.
The Malware Types You Must Know for CompTIA A+
The exam doesn’t just want you to recognize names. It expects you to understand how each threat behaves, how it spreads, and what distinguishes it from similar threats. Here’s your comprehensive breakdown.
Viruses
A virus is malicious code that attaches itself to a legitimate file or program and requires human action to spread — such as opening an infected file or running an executable. Once activated, it can corrupt data, slow down systems, or deliver a payload. The key characteristic that sets viruses apart is their need for a host file and user interaction to propagate.
Worms
Unlike viruses, worms self-replicate and spread across networks without any user interaction. They exploit vulnerabilities in operating systems or applications to move from machine to machine. A worm’s damage often comes from consuming bandwidth and system resources rather than directly destroying files. The infamous WannaCry attack leveraged worm-like behavior to spread ransomware across thousands of systems in hours.
Trojans
A Trojan disguises itself as legitimate software to trick users into installing it. Once inside, it can open backdoors, steal credentials, or download additional malware. Trojans don’t self-replicate — they rely entirely on social engineering and deception. The exam will often present scenarios where a user downloads what appears to be a free utility, only to have their system compromised. That’s a Trojan.
Ransomware
Ransomware encrypts a victim’s files or locks them out of their system and demands payment — typically in cryptocurrency — for the decryption key. It’s one of the most damaging and prevalent threats in modern IT environments. The CompTIA A+ exam expects you to recognize ransomware symptoms: sudden file encryption, ransom notes appearing on screen, and users losing access to their own data. Prevention strategies include regular backups, keeping systems patched, and user awareness training.
Spyware and Adware
Spyware silently monitors user activity — keystrokes, browsing habits, login credentials — and transmits that data to a third party without the user’s knowledge or consent. Adware is closely related but focuses on serving unwanted advertisements. While adware is sometimes considered less dangerous, it can degrade performance significantly and often serves as a delivery mechanism for spyware. Both are commonly bundled with free software downloads.
Rootkits
A rootkit is one of the stealthiest forms of malware. It embeds itself deep within the operating system — sometimes at the kernel level — to gain persistent, privileged access while hiding its presence from standard security tools. Rootkits are notoriously difficult to detect and remove. The exam may present scenarios where antivirus software misses a threat or where a system behaves abnormally even after apparent disinfection — classic rootkit behavior. Remediation often requires booting from external media or a complete OS reinstallation.
Keyloggers
A keylogger records every keystroke a user makes, capturing passwords, credit card numbers, and sensitive communications. Keyloggers can be software-based (delivered via malware) or hardware-based (a physical device plugged between the keyboard and computer). For the A+ exam, know that physical keylogger inspection is part of a security audit checklist — always check the back of machines in secure environments.
Botnets and Zombies
When a system is infected and brought under remote attacker control, it becomes a zombie. A network of these compromised machines is called a botnet. Attackers use botnets to launch distributed denial-of-service (DDoS) attacks, send spam, or mine cryptocurrency — all without the device owner’s knowledge. The infected machines do the work while the attacker remains hidden.
Logic Bombs
A logic bomb is malicious code that remains dormant until a specific condition is met — a date, a login event, or the deletion of a particular user account. It’s often planted by insiders with system access. Logic bombs are tested on the A+ exam within the context of insider threats and security policy violations.
Physical Security and Malware: The Connection the Exam Tests
The CompTIA A+ Security domain doesn’t treat malware in isolation — it connects digital threats to physical security controls. Consider this: a hardware keylogger can’t be stopped by antivirus software. Preventing it requires physical access controls. The exam expects you to know that tools like badge readers authenticate users before granting access to server rooms, limiting who can physically interact with hardware. Similarly, workstations in public-facing environments should be checked regularly for unauthorized physical devices.
Test Your Knowledge
Let’s put your understanding to the test with two exam-style questions similar to what you’ll encounter on the 220-1202.
Question 1: A technician discovers that a company’s server room was accessed overnight by an unknown individual who installed a hardware device on one of the workstations. Which security control, if implemented, would have best prevented this unauthorized physical access?
- A) Installing updated antivirus software
- B) Enabling full-disk encryption on all servers
- C) Requiring badge authentication to enter the server room
- D) Configuring a host-based firewall
Answer: C — Badge authentication. Antivirus and firewalls are digital controls that can’t stop a person from physically entering a room. Badge readers verify identity before granting physical access, which is the appropriate control here. This is exactly the kind of scenario the Security domain tests — matching the right control to the right threat.
Question 2: A user reports that all of their documents now have a strange file extension and they cannot open them. A message on screen is demanding payment to restore access. Which type of malware is responsible?
- A) Spyware
- B) Rootkit
- C) Ransomware
- D) Logic bomb
Answer: C — Ransomware. The symptoms are textbook: file encryption, unfamiliar extensions, and a ransom demand. Spyware operates silently without locking files. A rootkit hides itself. A logic bomb waits for a trigger condition. Ransomware is the only one that actively encrypts data and demands payment.
Want more practice?
Weekly exam strategies, domain breakdowns, and Certcy updates. No spam, unsubscribe anytime.Get Free Study Tips in Your Inbox