How to read and understand Malware names

Confused about what antivirus detected on your computer? You are not alone. This guide will try to shed some light about what different names mean and how to get more information about parasite. Malware detection are never user-friendly and in many cases the makers try to convince you that they did a great job for detecting malware and think it is enough.

The problem with this is following: Antivirus vendors forget or ignore that you might need more information about this parasite. This is not true in many cases:

  1. How to decide if infection compromised some data?
  2. What if it is false positive or questionable program?
  3. What if the problem reappears constantly?

That is why one needs to know and understand the terms one gets from malware makers and how the parasite might be named in other sources.

How anti-malware makers name parasites?

The truth is that there are many ways parasite name is constructed. The name is rarely user-friendly, and serves to identify parasite in anti-virus database only. However, most of the antivirus vendors want to sort their data properly so that related parasites would be named similarly as it helps their research. Thus typically, each detection has from 2 to 5 different parts:

  1. Function of malware (Backdoor, Adware, Spyware, Agent/Generic,Downloader, Rogue, hijacker etc). This part is defines what the parasite will do on your system and what symptoms you will see. Note, that some antivirus use coarser classification and some use finer ones. A special mention goes for HEUR or Behavioral detection, which means that parasite is not known and suspected because some sort of possibly malicious code it uses.
  2. Platform or OS it runs on (Win32/W32, OSX, Android, Symbian, JS/HTML, Linux, etc). This shows where particular virus can run. However this does not mean the parasites are prevented infecting different platforms. So, for example, JS.Injector might try to install Windows or Mac trojans but they can do it if you view infected page only.
  3. Way of distribution (Virus,Trojan,Worm). While Viruses infect files, Trojans replace or mimic good files and worms try to install themselves using various vulnerabilities. There is a special case of Potentially Unwanted Programs (PUP, PUA, „Not a virus“ or bundle) which references programs that are installed by people themselves but have unwanted functions or might be falsely advertised. While this information is important for both antivirus makers and malware victims, it is less important than function one even if it is used more often.
  4. „User-friendly“ name of the family. While it is omitted for some AV makers, some include some sort of name for the malware group. Typically, this references some sort of symptom or a string from malware file. Sometimes a name from other anti-malware tool database is adopted. Typically, this is one of the last parts in the full parasite name.
  5. The version of the particular parasite if many versions exist. Typically, it is the last part of parasite name.

Some examples:

Trojan.Generic or Trojan.Agent or Trojan.Win32 – Trojan parasite without any specific information about family or function. It is obvious, that for more information you will have to scan with different tool or upload information to VirusTotal or similar online scanning service. It might be false positive as well.

W32.Downadup.b – Windows 32 bit parasite from Downdup family, version B.

While many antivirus vendor publish their databases online, the best way to investigate detection is to narrow down malware family and try to find human-readable information about it. In complex cases it can be done by uploading the parasite to VirusTotal or searching for information by parasite family.

Read "How to read and understand Malware names" in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments