This information is useful for interpreting Virustotal results or detection names of general purpose tools. By knowing the detection names you can gain information about samples and estimate the likelihood of false positives.
Name Components
Detection names are different for every antivirus vendor, but they have usually the same components: Platform, Type, Name and Variant. Sometimes additional information is added.
Microsoft example:
Worm:Win32/Brontok.R@mm
(Note: @mm is here a subtype for massmailing worms)
Bitdefender example:
Gen:Variant.Dyzap.13
Avira example:
TR/Crypt.ZPACK.177986
ESET example:
Win32/Spy.Zbot.ABW
1. Platform
This may specify the operating system and architecture the malware runs on, e.g. Unix, Win32, Win64. But it may also specify the programming language the file was written in if this language is commonly interpreted or run in a virtual machine like Java. Sometimes umbrella platforms are used, e.g. the platform can be "Generic" (no platform specified) or "Script" (for any text-like file).
Examples:
PHP
Java
Powershell
Win64
Win32
MSIL
Generic
Script
2. Malware Type
This component characterises what the malware does or how it behaves. Examples are:
Trojan
Downloader
Dropper
Spy
Virus
Worm
Application
Adware
PUP
PUA
The last four examples are not malware, but so called potentially unwanted software. The difference to malware is that these are legal programs, but often not useful, annoying, or a risk to the user's computer.
Which programs belong to this category is highly subjective, each vendor has its own guidelines. But generally their usefulness is in no good relation to the harm, risk or annoyance they pose and most users, who have been informed about the disadvantages, will not want these programs.
If a malware has several types the most severe and specific one is used.
E.g. a malware that is adware and a trojan will get the Trojan type, because the Adware type is only for legal programs.
A malware that is a trojan and a virus, will get the Virus type, because a virus is more severe.
A malware that is a trojan and a downloader will get the Downloader type, because it is more specific.
However, this is only the case if the malware type is known to the person or program that creates the detection name.
If the type is not known, which is usually the case for automated systems that create detections, the most generic type will be used. For legal programs this is for example Application, for malware this is for example Trojan. This varies from vendor to vendor.
3. Malware Name
The malware name is usually the name of the malware family. But there are lots of occasions, when an umbrella name or a default name is used instead.
That depends on:
1. What the detection actually covers. E.g. the detection may not detect a malware family but a certain obfuscator or packer. An example is ESET's Win32/Packed.Themida detection.
2. Whether the detection was created automatically or by a malware analyst. Automatic entries are created without knowledge of the malware family or type, thus, use default names.
3. How much time the malware analyst puts into identification. If she does not spend any time on identification, she might just choose an umbrella name for a certain characteristic, e.g. Injector for a malware that injects itself into a process.
4. How significant the malware is. Malware that was written poorly and has not much impact will likely not even get a proper name. A default name or an umbrella name might be used instead, e.g. Small for a very small file.
Because of that the malware name can tell you quite different things. It may tell you the malware family, it may tell you what the detection covers and how the detection was created, it may also tell you characteristics of the file. See the sections below about default names and umbrella names.
4. Variant
Malware often evolves over time. Either because the author(s) ads more functionality, changes parts of its code to evade detection, or because the malware itself generates different versions while spreading. These modified versions become variants of the original malware. All variants of a malware belong to a malware family, which is denoted by the malware name.
In case of detection names however, the variant is mostly just a counter for different detections and nothing else. This counter is sometimes a number and most often appended letters. Sidenote: If the vendor uses letters, they will take care to skip obscene combinations like f*ck.
A detection in this sense is a blacklist entry, pattern, or script used by the AV product to determine malicious files. The detection name in combination with the variant tells the AV vendor which detection is behind the name. The AV vendor uses it to see how well certain detections work and solve any problems related to these detections.
For this reason the variant in detection names is usually not interesting for us. The only thing we can estimate from the variant portion of the detection name is whether the detection is an actual malware name or was created automatically (see sections below).
5. Additional Information
Some vendors provide additional information for certain detections. E.g. they may apply a suffix or prefix that denotes if a file was detected generically or heuristically.
The terms generic and heuristic tell something about how the decision for detecting the file was done. Both terms are covered in the sections below.
Default Names
Default names differ for each vendor, they are usually created for automatically added entries; sometimes they might be added by malware analysts if they don't want to think of a proper name. If you see a default name, you will know that the detection does not tell you anything about the malware's nature.
Typical default names are Agent or Generic. The default malware type is mostly Trojan unless it is a legal program (then it is more likely PUP or Application). The variant portion of the name has often a very high value, because these entries are generated in high numbers by automatic systems and each new entry gets a new variant.
Here are some examples:
Trojan.Generic.KD.87847
Trojan.Win32.Generic!BT
Trojan ( 00071a9a1 )
Artemis!5EAC6EABC66A
Win.Trojan.Agent-691724
Gen:Variant.Zusy.53898
UnclassifiedMalware
Artemis is a special case here, because it is the name of a module in McAfee. This is only a default name if found by McAfee, otherwise it is more likely the Artemis backdoor.
Similar module names can be found for other vendors. E.g. Zusy is a module of Bitdefender (Bitdefender's engine is part of a lot of other vendors, so you will likely see Zusy in other AV detections too).
Default names are more likely false positives than proper detection names and they tell you nothing about the nature of the malware.
If you have a default name with a specific malware type and a relatively low variant counter, the detection was likely created by a malware analyst, but seen as not important enough to make a special name for it. This is often the case for, e.g., macro trojan-downloaders or droppers other carriers of infections that are not sophisticated but change rapidly. These detections tell you about the nature of the malware, but don't identify it properly. The value of the malware variant is higher than usual, but not as high as it is for the automatic entries.
Examples are:
Win32/TrojanDownloader.Agent.RUT
Trojan.Dropper.SF
Heuristic and Generic Detections
Generic detections cover all or a lot of different members of one malware family at once. If used in the true sense of the word, a generic detection will not cover more than one malware family. Generic detections are proper detections to identify malware, but they have a higher likelihood of being false positive.
Heuristic detection methods base their decision on malicious looking behaviour or structure of the file by using a "rule of thumb". The information of a file is gathered and then processed by specific rules. E.g. each item of information might be given a specific weight. If the sum of all weighted items is above a certain threshold, the file is detected.
That makes heuristic methods imperfect, but they potentially cover a lot of malware variants and malware families at once.
Heuristic detection names might be created automatically. E.g. a file that downloads another file to temp and runs it might be classified as trojan-downloader without giving it a proper name. That way you can have a proper malware type (based on the behaviour) in combination with a default name. Heuristic detections are more likely false positives than other detections.
Here are some examples for generic and heuristic detections:
BehavesLike.Win32.Dropper.cc
Gen:Backdoor.Heur.FU
Win32.Trojan-Ransom.CryptoWall.D@gen
Gen:Win32.Necurs
Gen:Variant.Dyzap.13
Note that the term "Generic" in a malware name can also just be a default name and have nothing to do with generic detections.
Riskware, Cracks, Hacking Tools
Antivirus vendors do not care to put work into software that is used for illegal purposes. They will either not detect it, or detect it as Riskware, Crack, Unsafe or Hacktool, regardless if the file is actually malicious in both cases (the aforementioned terms are either put as malware type or an umbrella name).
So if you want to determine whether an illegal file or hacking tool is good or bad, you must be aware that AV detections won't help much.
Users of cracked software and game hacks submit such files in high numbers to AV vendors to get to know whether these files are safe to use. AV vendors will not even try to help them out.
Umbrella Names
Agent, Riskware and Hacktool are already examples for Umbrella names. Other examples are:
Injector -- Umbrella name for files that inject code into processes
Crypted, Obfuscated, Packed -- Umbrella names for malware that was detected by its obfuscation or protection scheme
Small, Tiny -- a small malicious file
Riskware, Unsafe -- the program has either a risk of being malicious or makes your system vulnerable
Corrupt -- file with malicious code, but it should not run.
Patched -- an otherwise legit program that was modified by malware.
Sometimes umbrella names just specify the language the malware was written in. E.g.
Win32.Trojan-Downloader.AutoIt.AG
The umbrella name here is AutoIt.
These names do not identify the malware, but tell you often characteristics about it or specify the malware type more detailed (e.g. Trojan.Infostealer).
Same Detection Name for Different Vendors
Often you will encounter that samples are detected from different vendors by the same name.
This is most likely a Bitdefender detection. Bitdefender sells its engine and detections to other vendors, which use that in addition to their own product. There are least six AV vendors that use Bitdefender's engine.
Take that into account while estimating the likelihood that you have a false positive.
E.g., if you find a sample with a virustotal detection ratio of 6/55, but each of the six detections has the same name as Bitdefender, the likelihood of having a false positive is high.
Note: Bitdefender is not the only one who sells licenses of their engine to other vendors, but they are the most widespread.
Snowball Effect -- Reporting False Positives Efficiently
It is not a secret that AV vendors share samples and blacklist samples automatically based on the detection rates of other vendors. This in addition with the engine sharing of different vendors (see previous section) may cause a snowball effect; sometimes to the disadvantage of programs that are very prone to false positive detections. These are for example files from the demo scene, because they use packers and a lot of tricks in the file format to get tiny files; but also security tools which are used to fight malware, disinfect or monitor a system, because they may behave a lot like malware. Software vendors that like to protect their files too much from reverse engineering might also trigger the heuristic engines of certain AV vendors. Once a reputable AV company flags a file, the others will follow soon.
In case of a false postive this snowball effect can also be used to your advantage. Imagine you develop a legit tool or a demo and it is detected by 20 AV vendors. All vendors give a possibility to submit files to them, but submitting your file 20 times is a pain, is it?
My advise: Start with a report to Bitdefender, then Kaspersky, then wait for their responses.
As mentioned above, Bitdefender sells their engine to other vendors. If a false positive is reported to Bitdefender, you will get rid of at least six other detections at once.
Kaspersky is very reputable player. If they drop their detection it is much more likely that the automatic systems of the other vendors will drop theirs too or report the file as possible false positive.
If that is still not enough to get rid of all false positives, submit the file to another reputable company, e.g. ESET, Avira. Then wait again for a reponse. Don't bother with the small vendors.
