ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Malicious code classifications and threat types

book

Article ID: 161429

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

These tables list the malicious code names, types, and descriptions as they appear on the reports from the cloud security services support team. These tables also provide information you can use to determine why a particular email has been stopped. Furthermore, the tables provide details about the class of potential threat that is contained in the email.

Resolution

Virus types

Type
Description
Crack
A program that is designed to modify another program. This modification is usually intended to remove copy protection from a piece of commercially available software. Crack programs usually contain Trojan horses or other unwanted programs. Users can be duped by promises of a free "crack" and are enticed to run some type of code.
Damaged
Malicious code has been removed but some code may still remain.
False positive 
Incorrectly identified as malicious.
Joke
Not malicious, but a potentially unwanted program (PUP).
Malicious
Maliciouscode, or software with bad intent.
Speculative
This term is very generic and is used when our heuristics discover a program that is at least a PUP, although likely worse.
Phish
A "phishing" attack, as in "fishing", but instead using online baiting techniques to obtain confidential information from unsuspecting users.
 

Virus names

 
Virus Name
Type
Description
TXT/Generic!info
Crack
Stopped because we detected some information that explains how to operate a software crack.
W32/Crack-
Crack
This virus is a PUP that can be used to modify protected files.
EML/Worm.XX.dam
Damaged
A file that was cleaned by another antivirus scanner but that was stopped by our Email Services. The email is intercepted by our service and includes a disclaimer that is added by the sender's software. The "XX" portion of "EML/Worm.XX.dam" represents an acronym of the third-party software that inserted the disclaimer. The email does not appear to include a virus and has supposedly been scanned by a third-party antivirus scanner, but we cannot guarantee the email is clean.
Exploit/Link.dam
Damaged
Detected because it contains links that are contained within an email that are not in the correct http:// or https:// format such as links that start with anything other than this.
JS/ExploitExec.dam
Damaged
A link within an email that is considered suspicious by our link-following technologies. This is because the link appears to have been damaged in some way and link-following cannot resolve the link correctly.
VBS/Generic.dam
Damaged
Exposed VBA code that is damaged but has some features that would directly affect areas of Windows which is behavior we have seen before within malware.
W32/Bagle.gen!pic.dam
Damaged
A corrupted archive with Bagle-like features. It is probably damaged due to being bounced and truncated.
W32/Generic.dam
Damaged
Damaged malware was detected. Damaged malware is usually a result of partial disinfection or truncation of the original email as it passed through other MTAs.
W32/Kedebe.E-mm-xxxx!eml.dam
Damaged
A damaged copy of the Kedebe virus where the code is no longer executable due to changes within the malicious code.
W32/Mydoom.M.zip.dam
Damaged
A damaged archive file that matches some of the heuristics for Mydoom.M
W32/Netsky.x.dam
Damaged
A damaged copy of the mass-mailing virus Netsky.
W32/Grew.A-mm-xxxx!eml.dam
Damaged
A damaged copy of the Grew.A virus where the code is no longer executable due to changes within the malicious code or items being stripped.
W97M/Generic.dam
Damaged
A malicious Microsoft Office document that contains a macro that no longer functions correctly and as a result is damaged.
Data/Mydoom.log.dam
Damaged
Mydoom.M worm creates encrypted log files and sometimes sends them out instead of its own code due to a bug. As a result the encrypted data files are sent in a compressed archive inside emails. The files have random (encrypted) content, which are about 1.1 or 1.2 kilobytes long. As the log files are not the source code this file is regarded as damaged.
W32/Delf-Generic.dam
Damaged
A damaged Trojan that has been packed with a UPX file compressor.
Image/AppendedHTML.dam
Damaged
This instance occurs when the image file has had HTML appended to it but the code does not work for some reason.
W32/Bobax.AH-mm-22cd!eml.dam
Damaged
This instance is a damaged copy of the Bobax.AH mass mailing virus, and the code no longer executes due to changes within the code of the item has been stripped.
Possibly-infected-with-an-unknown-virus
False positive 
We require a sample to further investigate the issue.
Joke.xxxxxxxxxxx
Joke
These are PUPs that are not legitimate business mails. They are joke programs that are not normally malicious
not-virus:BadJoke.Win32.Stript
Joke
The script in this email is usually detected as a joke program.
W32/Joke.Gen-xxxx-xxxx
Joke
These are PUPs that are not legitimate business mail, but are not normally malicious.
bigbrother
Joke
A PUP that makes users think that they can take a photo with their PC. This is not a legitimate business mail and is not normally malicious.
W32/Beast.xxxx
Malicious
A standalone executable that infects Microsoft Word documents by embedding itself in them. It adds an AutoOpen macro to the document to run the embedded virus when the document is opened.
Exploit-WordPad.a.gen
Malicious
This is a generic detection for exploits targeting a WordPad text converter vulnerability.
Exploit-MSWord.a
Malicious
This is a generic detection for exploits targeting a WordPad text converter vulnerability.
Email-Worm.Win32.Agent.ev
Malicious
Spreads as an attachment in spam email with attention grabbing lines in the subject field.
Exploit-ObscuredHtml
Malicious
This is detected as a Trojan. Microsoft Internet Explorer ignores certain non-ASCII characters, allowing an attacker to obfuscate malicious code and still have it rendered by IE. The detection covers HTML documents that have been crafted with the intention of evading antivirus detection.
Generic.f
Malicious
This is detected as a Trojan. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked Web pages, Internet Relay Chat (IRC) and peer-to-peer networks.
JS/ExploitGUID-
Malicious
Globally unique identifier, a unique 128-bit number that is produced by the Windows OS or by some Windows applications to identify a particular component, application, file, database entry, and/or user. These are known GUIDs of files that are known to be exploitable.
LNK.CmdExploit
Malicious
A Windows Shortcut File that, when clicked, downloads malware to the user's PC .
RemAdm-PSKill
Malicious
Detected as a PUP. The program can terminate processes on local or remote WinNT or Win2K systems. This tool was built for use by administrators to perform remote system administration. However, this application is used by many Trojans.
W97M/Class.Q
Malicious
Detected as a Word macro virus that uses an effective way to hide its code. The virus installs its module to Word classes by using special WordBasic operators. The virus code is appended as a native Word component. As a result the virus is not visible in the Tools/Macro menu.
W97M/Concept-b
Malicious
Detected as spyware.
W97M/Wrench.A
Malicious
Detected as a Word 97 macro virus that infects the global template when an infected document is opened or closed. During infection, the virus creates two temporary files, "c:Bench" and "c:BenchFrm". After infection, the virus deletes all "Bench*" files from the root of the C: drive - including the temporary files that are created by the virus.
W32/Fujacks!htm
Malicious
 An iframe is appended to the HTML document. It downloads the Fujacks virus and then spreads it by appending itself to every email sent from the senders computer as a hidden iframe. In this way it infects recipients' computers.
UNK/Lastchance
Malicious
This is where viral content has been detected but has yet to be named and requires further review.
W32/Autorun.worm.i.gen
Malicious
Detected as a worm that attempts to spread to removable drives by creating an autorun.inf file. The autorun.inf file will run the worm automatically if systems that use the removable drive are set to allow autorun. The worm also infects Microsoft Word files.
XF/Sic.gen-
Malicious
Detected as a macro virus. Written in Excel4 macro code, the virus can infect both Excel95 and Excel97 format file types.
PWS-LegMir.gen.k
Malicious
PWS-LegMir.gen.k drops PWS-LegMir.gen.k.dll, which steals passwords from multiple games. It will spread using autorun.inf in the root folder of available drives in the system and download updates of itself.
Exploit-MIME.gen.c
Malicious
This generic detection covers email message files that exploit the Microsoft Incorrect MIME Header vulnerability. This vulnerability allows attached executable files to be run when a message is simply viewed.
Exploit/Link-MalDomain-
Malicious
This is a domain that is known to host malware.
Downloader-AYJ
Malicious
This is a Trojan downloader that uses an iframe exploit to route to another server to install further malware.
W97M/Thus.gen
Malicious
This is a virus that infects Word 97 documents. The virus consists of a module called ThisDocument. It will infect the Word normal.dot file. When it infects, it turns the Word 97 Macro Warning feature off. Before infecting a document, the virus will look to see if it has already infected the document by checking for a comment (thus.000). If this comment is found, the virus will not reinfect. On December 13, if an infected document is opened the virus will attempt to delete all files on drive C: (including subdirectories).
Exploit/BBB-
Malicious
These are specific heuristics that are designed to stop known malicious links sent by email from the BBB gang. When the malicious links are clicked on, malicious code is downloaded. Examples of these emails are fake tax court mails, IRS tax scams, and fake court subpoenas. Usually, all of these emails are sent to the addresses of high-profile personnel.
W32/Netsky-x!xxxx
Malicious
This is a variant of the Netsky virus and is malicious. (-x could be any character and !xxxx will be the first 4 characters of the MD5 checksum.
Trojan-Clicker.HTML.IFrame.fh
Malicious
Detected as a malicious iframe that is appended to a HTML document that downloads Trojans to a victim's computer.
W32/Warezov-Heur
Malicious
A variant of the Warezov virus, which is a mass-mailing worm  that spreads through email attachments.
VBA/Generic.src
Malicious
Detected as the source for a VBA macro virus (Word, Excel, PowerPoint, etc.). Some macro viruses store their source code in a temporary file when transferring their code from one file to another. This is detection for the temporary file.
Exploit-ZIP.b
Malicious
This is a zip file that has been crafted to exploit MS02-054 (long file names in zip files).
JS/Exploit-Iframe
Malicious
This is detection for malicious iframes embedded on legitimate websites as well as purposely designed malicious websites.
W97M.VMPCK1.gen
Malicious
This is detection for mis-disinfected malware. Our heuristics are more aggressive for the detection for viruses created using the "VMPCK v1.0" construction kit.
Exploit/LinkAliasPostcard-xxxx
Malicious
This is an aliased link that takes you to a known malicious greeting card site. This is highly suspicious because the link extension is aliased (For example, the link is .php but appears as .jpg in the email. When clicked on, the original link runs). This is usually done to hide the fact that this is a malicious greeting card site link that will infect your PC with malware.
TXT/Qhost.gen
Malicious
This is a generic detection for Trojans that modify the hosts file.
Exploit-URLSpoof.gen
Phishing
This is a Trojan that has been seen in large rounds of spam. This is part of various phishing scams, enticing users to navigate to seemingly authentic websites to steal account and personal information.
Exploit/Phishing-
Phish
These emails are scams that do not contain any viral content. They have a link to a fake Web page that steals users' personal details when they attempt to log on . This can also be triggered by forwarding mails that users have received, as well as the occasional false positive.
Link-Exploit/Phishing-
Phish
These emails are scams that do not contain any viral content. They have a link to a fake Web page that steals users' personal details when they attempt to log on . This can also be triggered by forwarding mails that users have received, as well as the occasional false positive.
Trojan-Spy.HTML.Fraud.gen
Phish
These are phishing scam emails that do not contain any viral content. They have a link to a fake Web page that steals users' personal details when they attempt to log on.
Exploit/PhishLogin
Phish
This is a phishing scam mail that was sent to tempt users to log on to a fake banking site.
Phish-BankFraud.eml.b
Phish
These are phishing messages that are designed to steal bank account information.
Exploit/BouncedGeneric
Speculative
This is a deliberate heuristic that is designed to catch bounce backs that contain suspicious attachments such as zip files.
Exploit/CVE-
Speculative
These can be malicious and are usually Microsoft Office documents that exploit vulnerabilities in Office software. However, we do see that occasionally there are a few Office documents that contain similar properties as the exploit and as a result are incorrectly identified as a false positive.
Exploit/Fraud-AccUpdate
Speculative
These are mails that are similar to phishing mails; however, they ask users to reply with their user name and password and are usually for Webmail accounts
Exploit/HiddenIFrame-xxxx
Speculative
This is a hidden iframe contained within an email. When the iframe is executed, it is invisible to the end user.
Exploit/Link-
Speculative
This detection looks at the link contained within an email and checks that the link is correct, such that the extension is correct and not aliased by a different extension.
Exploit/Link-DogpileRedirect.gen
Speculative
This is a detection for links that are using DogPile redirects to direct users to malicious content.
Exploit/Link-SuspExe-
Speculative
This is where a link within an email is to an .exe file that is suspicious.
Exploit/Link-ZhelHost-
Speculative
This is where a URL contained within an email appears to start with an IP address rather than a domain name. The email that arrives in is usually spam that tries to entice the user to visit a website that hosts malware that is downloaded when the user visits the site.
Exploit/MimeTypeMismatch
Speculative
This is where an item in the mail, such as a .jpg, has been incorrectly tagged in the MIME as another item such as a .com file.
Exploit/MIMEHeaderLength-
Speculative
This is a MIME Header that exceeds the recommended length as per:
 Common failures that are seen include cases where gateways break the header line into more than one part and insert other headers in between. This can cause unexpected behavior if the MIME structure is destroyed. This can flag for the following fields: Subject, Thread-Index, To, X-MIMETrack & References.
Exploit/MouseOver
Speculative
This is an exploit of the MouseOver function that allows malformed MouseOver code to be used to run arbitrary code. The arbitrary code can be used to obtain personal information or execute specific attacks.
Exploit/OLEHiddenEXE
Speculative
This is an exploit in which an embedded .exe can be hidden in a Word document (OLE file format). The .exe can be used to execute code or even download malicious content to a user's computer.
Exploit/RemoteMHTM-
Speculative
An MHTLM document that is an archived Web page, which can be exploited to drop malicious content on to the recipient's computer.
Exploit/RTFEmbeddedExe
Speculative
This is usually an email with a link to an .exe inside of an .rtf document. The .exe then downloads malicious files to the user's computer.
Exploit/SuspExeInOLE
Speculative
This is usually where a suspicious .exe file has been embedded within a document file. This particular instance is suspicious because the .exe has been embedded within an OLE file.
Exploit/SuspLink-
Speculative
This is usually where a link contained within an email is suspicious.
HeurAuto-
Speculative
This is a detection flagged by traffic heuristics, which has identified a suspicious mail pattern.
JS/Decoder
Speculative
This is a piece of JavaScript that appears to be decoding a section of data, potentially hiding malicious executables or redirects.
JS/ExploitExec
Speculative
A link within an email that has been considered to be suspicious by our link verification (link-following) technologies.
JS/Generic
Speculative
This is usually flagged as suspicious because JavaScript functions have been used to obfuscate certain function calls within an attachment of a mail. 
JS/Generic.TxSp
Speculative
This is usually where JavaScript appears to be encoded in such a way that it appears to be spam-like obfuscation.
JS/Selfaltering
Speculative
This is a piece of JavaScript that appears to alter its own content. This is common in scripts designed to obfuscate malicious code or spam.
Link-Exploit/Link-
Speculative
A link within an email that is considered to be suspicious by our link-following technologies.
Link-JS/ExploitExec
Speculative
This is where the link contained in the email appears to be suspicious and has therefore been detected by our link-following technologies.
Link-VBS/Generic
Speculative
This is where the link contained in the email appears to be suspicious and has therefore been detected by link-following.
Link-W32/HackedPacker-Generic
Speculative
The executable is packed (compressed/obfuscated) in an unknown way.
MDB/Generic
Speculative
Generic detection designed to stop MDB (Microsoft Jet DataBase Engine) files that may be vulnerable to arbitrary code-execution attacks.
Office/Generic
Speculative
This is a speculative heuristic for malware in Microsoft Office documents.
PNG/Generic
Speculative
Generic detection of .png (portable network graphics) files that could potentially allow remote code execution.
VBS/Generic
Speculative
Exposed VBA code that directly affects areas of Windows, which is behavior seen previously within malware.
W32/Generic-
Speculative
This is when there are suspicious function calls within a document that can create and run a file.
W32/HackedPacker-MalProtector.gen
Speculative
The executable is packed (compressed/obfuscated) in an unknown way. It may contain self-modifying content.
W32/HackedPacker-UPX-
Speculative
An application that has been packed with a potentially malicious runtime packer or encryptor.
W32/Heur-Obfuscated.gen.d-
Speculative
Adware - A Trojan downloader that obscures itself so that you do not see it downloading malicious programs.
W32/Troj-Keylogger.gen-
Speculative
This is a means to obtain passwords or encryption keys and thus bypass other security measures that you may have in place.
W32/Troj-MalInstaller.gen-
Speculative
Setup installer that has Trojan-like strings that we have not been able to unpack.
W32/Troj-StartPage.gen-
Speculative
A Trojan that hijacks the Internet Explorer home page without your permission.
W32/Warezov-Heur
Speculative
The email contains many features of the mass-mailing virus Warezov.
W97M/Generic
Speculative
Macros within Office documents that call certain functions, which are commonly used to hide malicious activity. Can cause false positives due to the function calls.
WMF/Generic
Speculative
This is generic detection to prevent a vulnerability in Windows Meta File from being exploited.
X97M/Generic
Speculative
Macros within .xls documents that call certain functions, which are commonly used to hide malicious activity. Can cause false positives due to the function calls.
ZIP/Generic
Speculative
This is a generic detection of suspicious .zip files that can be used to hide malware.
Exploit/Unpacker
Speculative
We have been unable to unpack the contents of the mail due to the errors caused by the contents themselves.
Exploit/ArchiveRatio
Speculative
This is a corrupted archive. The files in the archive are too large for the ratio of the archive file.
Link-JS/Selfaltering
Speculative
This is usually a JavaScript link that has the ability to alter itself.
Exploit/Link-IFrame-
Speculative
This is an iframe (an HTM element that makes it possible to embed an HTML document inside another HTML document) that is hidden within the htm file of an email. It is designed to open a hidden iframe to download malicious content from a website, which is a specified link within the source code of the file.
HTML/IFrame
Speculative
This is a hidden iframe that has been appended to a HTML document that downloads malicious content from a website, which is specified within the source code of the file.
Word/Generic
Speculative
This is when there is suspicious shell code contained within a Word document.
EMF/Generic
Speculative
This is a generic detection to prevent a vulnerability in Generic vector graphics being exploited
Exploit/MimeBoundary
Speculative
This means that the mail has been stopped because there is more than one MIME boundary in the email, which violates http://tools.ietf.org/html/rfc2822.
HHP/Generic
Speculative
This is a back-door Trojan that allows a remote intruder to gain access and control over the computer.
Malformed-Archive
Speculative
An archive file, such as a .zip file, that is not correctly formed
Exploit/MimeBoundary003
Speculative
This is where the MIME boundaries within the email do not match and have changed. This is usually indicative of a non-delivery report (NDR) or a broken email client. In a normal email these MIME boundaries should not change; therefore, this is suspicious behavior.
W32/Delf-Generic-xxxx-xxxx
Speculative
As a Trojan, this is a PE executable file that is packed with a UPX file compressor.
W32/Troj-ProcessInjector-xxxx-xxxx
Speculative
A Trojan that attempts to hide itself from virus scanners and injects its code into other processes running on the system.
W32/Memory-xxxx-xxxx
Speculative
This is a particular file that we have seen before that is likely a known malicious file.
Exploit/IFrame-xxxx
Speculative
This is a suspicious iframe that is hidden within the htm file of an email. The email is designed to open a hidden iframe to download malicious content.
Exploit/LinkExeFreehost-xxxx
Speculative
This is a link to an executable file that is hosted on a free hosting site that is known to host malicious content.
Exploit/MHTLink-
Speculative
This is a link to an MHTML document that has been archived as a Web page that can be used to host malicious content.
Image/AppendedHTML
Speculative
This is an image file that has had HTML commands or code appended to it that could be malicious.
Exploit/ImageAppendedHTML
Speculative
This is an image file that has had HTML commands or code appended to it that could be malicious.
Exploit/SuspiciousCHM
Speculative
This is when there is an HTML Help Compiled Help File that appears to have suspicious actions contained within it.
JS/Feebslike
Speculative
This is a polymorphic worm that has properties similar to the Feebs virus.
Link-Exploit-MSDDS
Speculative
This is a link to code attempting to exploit a Microsoft Internet Explorer vulnerability.
Link-Exploit/SuspLink
Speculative
These are links contained within an email that link to suspicious or executable files.
Link-JS/Decoder
Speculative
This is a link to decode JavaScript obfuscated code; however, this links to obfuscated JavaScript that may be malicious.
Link-JS/Generic
Speculative
This is a link to a site that contains JavaScript. The functions of the JavaScript have been used to obfuscate certain function calls within the code of the page.
Link-VBS/Psyme
Speculative
This is a link to a website that contains VBS/Psyme viral code that is designed to  infect your computer.
Link-W32/​HackedPacker-​MalProtector.gen-​xxxx-xxxx
Speculative
A link to an application that has been packed with a potentially malicious runtime packer or encryptor.
Office/Generic
Speculative
This is detection for suspicious code within Office attachments.
X97M/Marker.BM
Speculative
Macros within Microsoft Office .xls documents calling certain functions, which are commonly used to hide malicious activity. Can cause false positives due to the function calls.
XF/Generic
Speculative
This is where there is suspicious code contained within an .xls attachment.
Generic-xxxx
Speculative
This is detection for suspicious code within Office attachments.
Exploit/Generic!tt-xxxx
Speculative
This is a generic term for possible new malware threats that we will need to review. Some code can cause false positives; however, an example of what has been stopped under this name is fake UPS invoices that contain malware.
Exploit/EncryptedArchive
Speculative
The way in which the archive has been encrypted is suspicious.
Exploit/CAN-xxxx-xxxx
Speculative
These are known exploits that are out in the wild. Further information on these can be found by entering the full name on the following site [http://www.cve.mitre.org/cgi-bin/cvename.cgi?]
ZIP/Bagle!ZipBadCRC
Speculative
This is a .zip file that uses a Bagle-like password and that has a bad checksum (usually because of some form of corruption).
W32/Exploit-OLEHiddenEXE-xxxx
Speculative
This is an exploit where an embedded .exe can be hidden in a Word document (OLE file format). The .exe can be used to execute code or even download malicious content to a user's computer.
Outlook/DateExploit
Speculative
This is usually where the MIME header is incorrectly formatted and has the next line of header starting on the previous line next to the date.
ZIP/Generic.dam
Speculative
This is usually where there is a password-protected zip file that has been sent in an email that contains an image file. The image file could potentially contain the password, and so as a precaution we block this.