These tables list the malicious code names, types, and descriptions as they appear on the reports from the cloud security services support team. These tables also provide information you can use to determine why a particular email has been stopped. Furthermore, the tables provide details about the class of potential threat that is contained in the email.
Type
|
Description
|
Crack
|
A program that is designed to modify another program. This modification is usually intended to remove copy protection from a piece of commercially available software. Crack programs usually contain Trojan horses or other unwanted programs. Users can be duped by promises of a free "crack" and are enticed to run some type of code.
|
Damaged
|
Malicious code has been removed but some code may still remain.
|
False positive
|
Incorrectly identified as malicious.
|
Joke
|
Not malicious, but a potentially unwanted program (PUP).
|
Malicious
|
Maliciouscode, or software with bad intent.
|
Speculative
|
This term is very generic and is used when our heuristics discover a program that is at least a PUP, although likely worse.
|
Phish
|
A "phishing" attack, as in "fishing", but instead using online baiting techniques to obtain confidential information from unsuspecting users.
|
Virus Name
|
Type
|
Description
|
TXT/Generic!info
|
Crack
|
Stopped because we detected some information that explains how to operate a software crack.
|
W32/Crack-
|
Crack
|
This virus is a PUP that can be used to modify protected files.
|
EML/Worm.XX.dam
|
Damaged
|
A file that was cleaned by another antivirus scanner but that was stopped by our Email Services. The email is intercepted by our service and includes a disclaimer that is added by the sender's software. The "XX" portion of "EML/Worm.XX.dam" represents an acronym of the third-party software that inserted the disclaimer. The email does not appear to include a virus and has supposedly been scanned by a third-party antivirus scanner, but we cannot guarantee the email is clean.
|
Exploit/Link.dam
|
Damaged
|
Detected because it contains links that are contained within an email that are not in the correct http:// or https:// format such as links that start with anything other than this.
|
JS/ExploitExec.dam
|
Damaged
|
A link within an email that is considered suspicious by our link-following technologies. This is because the link appears to have been damaged in some way and link-following cannot resolve the link correctly.
|
VBS/Generic.dam
|
Damaged
|
Exposed VBA code that is damaged but has some features that would directly affect areas of Windows which is behavior we have seen before within malware.
|
W32/Bagle.gen!pic.dam
|
Damaged
|
A corrupted archive with Bagle-like features. It is probably damaged due to being bounced and truncated.
|
W32/Generic.dam
|
Damaged
|
Damaged malware was detected. Damaged malware is usually a result of partial disinfection or truncation of the original email as it passed through other MTAs.
|
W32/Kedebe.E-mm-xxxx!eml.dam
|
Damaged
|
A damaged copy of the Kedebe virus where the code is no longer executable due to changes within the malicious code.
|
W32/Mydoom.M.zip.dam
|
Damaged
|
A damaged archive file that matches some of the heuristics for Mydoom.M
|
W32/Netsky.x.dam
|
Damaged
|
A damaged copy of the mass-mailing virus Netsky.
|
W32/Grew.A-mm-xxxx!eml.dam
|
Damaged
|
A damaged copy of the Grew.A virus where the code is no longer executable due to changes within the malicious code or items being stripped.
|
W97M/Generic.dam
|
Damaged
|
A malicious Microsoft Office document that contains a macro that no longer functions correctly and as a result is damaged.
|
Data/Mydoom.log.dam
|
Damaged
|
Mydoom.M worm creates encrypted log files and sometimes sends them out instead of its own code due to a bug. As a result the encrypted data files are sent in a compressed archive inside emails. The files have random (encrypted) content, which are about 1.1 or 1.2 kilobytes long. As the log files are not the source code this file is regarded as damaged.
|
W32/Delf-Generic.dam
|
Damaged
|
A damaged Trojan that has been packed with a UPX file compressor.
|
Image/AppendedHTML.dam
|
Damaged
|
This instance occurs when the image file has had HTML appended to it but the code does not work for some reason.
|
W32/Bobax.AH-mm-22cd!eml.dam
|
Damaged
|
This instance is a damaged copy of the Bobax.AH mass mailing virus, and the code no longer executes due to changes within the code of the item has been stripped.
|
Possibly-infected-with-an-unknown-virus
|
False positive
|
We require a sample to further investigate the issue.
|
Joke.xxxxxxxxxxx
|
Joke
|
These are PUPs that are not legitimate business mails. They are joke programs that are not normally malicious
|
not-virus:BadJoke.Win32.Stript
|
Joke
|
The script in this email is usually detected as a joke program.
|
W32/Joke.Gen-xxxx-xxxx
|
Joke
|
These are PUPs that are not legitimate business mail, but are not normally malicious.
|
bigbrother
|
Joke
|
A PUP that makes users think that they can take a photo with their PC. This is not a legitimate business mail and is not normally malicious.
|
W32/Beast.xxxx
|
Malicious
|
A standalone executable that infects Microsoft Word documents by embedding itself in them. It adds an AutoOpen macro to the document to run the embedded virus when the document is opened.
|
Exploit-WordPad.a.gen
|
Malicious
|
This is a generic detection for exploits targeting a WordPad text converter vulnerability.
|
Exploit-MSWord.a
|
Malicious
|
This is a generic detection for exploits targeting a WordPad text converter vulnerability.
|
Email-Worm.Win32.Agent.ev
|
Malicious
|
Spreads as an attachment in spam email with attention grabbing lines in the subject field.
|
Exploit-ObscuredHtml
|
Malicious
|
This is detected as a Trojan. Microsoft Internet Explorer ignores certain non-ASCII characters, allowing an attacker to obfuscate malicious code and still have it rendered by IE. The detection covers HTML documents that have been crafted with the intention of evading antivirus detection.
|
Generic.f
|
Malicious
|
This is detected as a Trojan. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked Web pages, Internet Relay Chat (IRC) and peer-to-peer networks.
|
JS/ExploitGUID-
|
Malicious
|
Globally unique identifier, a unique 128-bit number that is produced by the Windows OS or by some Windows applications to identify a particular component, application, file, database entry, and/or user. These are known GUIDs of files that are known to be exploitable.
|
LNK.CmdExploit
|
Malicious
|
A Windows Shortcut File that, when clicked, downloads malware to the user's PC .
|
RemAdm-PSKill
|
Malicious
|
Detected as a PUP. The program can terminate processes on local or remote WinNT or Win2K systems. This tool was built for use by administrators to perform remote system administration. However, this application is used by many Trojans.
|
W97M/Class.Q
|
Malicious
|
Detected as a Word macro virus that uses an effective way to hide its code. The virus installs its module to Word classes by using special WordBasic operators. The virus code is appended as a native Word component. As a result the virus is not visible in the Tools/Macro menu.
|
W97M/Concept-b
|
Malicious
|
Detected as spyware.
|
W97M/Wrench.A
|
Malicious
|
Detected as a Word 97 macro virus that infects the global template when an infected document is opened or closed. During infection, the virus creates two temporary files, "c:Bench" and "c:BenchFrm". After infection, the virus deletes all "Bench*" files from the root of the C: drive - including the temporary files that are created by the virus.
|
W32/Fujacks!htm
|
Malicious
|
An iframe is appended to the HTML document. It downloads the Fujacks virus and then spreads it by appending itself to every email sent from the senders computer as a hidden iframe. In this way it infects recipients' computers.
|
UNK/Lastchance
|
Malicious
|
This is where viral content has been detected but has yet to be named and requires further review.
|
W32/Autorun.worm.i.gen
|
Malicious
|
Detected as a worm that attempts to spread to removable drives by creating an autorun.inf file. The autorun.inf file will run the worm automatically if systems that use the removable drive are set to allow autorun. The worm also infects Microsoft Word files.
|
XF/Sic.gen-
|
Malicious
|
Detected as a macro virus. Written in Excel4 macro code, the virus can infect both Excel95 and Excel97 format file types.
|
PWS-LegMir.gen.k
|
Malicious
|
PWS-LegMir.gen.k drops PWS-LegMir.gen.k.dll, which steals passwords from multiple games. It will spread using autorun.inf in the root folder of available drives in the system and download updates of itself.
|
Exploit-MIME.gen.c
|
Malicious
|
This generic detection covers email message files that exploit the Microsoft Incorrect MIME Header vulnerability. This vulnerability allows attached executable files to be run when a message is simply viewed.
|
Exploit/Link-MalDomain-
|
Malicious
|
This is a domain that is known to host malware.
|
Downloader-AYJ
|
Malicious
|
This is a Trojan downloader that uses an iframe exploit to route to another server to install further malware.
|
W97M/Thus.gen
|
Malicious
|
This is a virus that infects Word 97 documents. The virus consists of a module called ThisDocument. It will infect the Word normal.dot file. When it infects, it turns the Word 97 Macro Warning feature off. Before infecting a document, the virus will look to see if it has already infected the document by checking for a comment (thus.000). If this comment is found, the virus will not reinfect. On December 13, if an infected document is opened the virus will attempt to delete all files on drive C: (including subdirectories).
|
Exploit/BBB-
|
Malicious
|
These are specific heuristics that are designed to stop known malicious links sent by email from the BBB gang. When the malicious links are clicked on, malicious code is downloaded. Examples of these emails are fake tax court mails, IRS tax scams, and fake court subpoenas. Usually, all of these emails are sent to the addresses of high-profile personnel.
|
W32/Netsky-x!xxxx
|
Malicious
|
This is a variant of the Netsky virus and is malicious. (-x could be any character and !xxxx will be the first 4 characters of the MD5 checksum.
|
Trojan-Clicker.HTML.IFrame.fh
|
Malicious
|
Detected as a malicious iframe that is appended to a HTML document that downloads Trojans to a victim's computer.
|
W32/Warezov-Heur
|
Malicious
|
A variant of the Warezov virus, which is a mass-mailing worm that spreads through email attachments.
|
VBA/Generic.src
|
Malicious
|
Detected as the source for a VBA macro virus (Word, Excel, PowerPoint, etc.). Some macro viruses store their source code in a temporary file when transferring their code from one file to another. This is detection for the temporary file.
|
Exploit-ZIP.b
|
Malicious
|
This is a zip file that has been crafted to exploit MS02-054 (long file names in zip files).
|
JS/Exploit-Iframe
|
Malicious
|
This is detection for malicious iframes embedded on legitimate websites as well as purposely designed malicious websites.
|
W97M.VMPCK1.gen
|
Malicious
|
This is detection for mis-disinfected malware. Our heuristics are more aggressive for the detection for viruses created using the "VMPCK v1.0" construction kit.
|
Exploit/LinkAliasPostcard-xxxx
|
Malicious
|
This is an aliased link that takes you to a known malicious greeting card site. This is highly suspicious because the link extension is aliased (For example, the link is .php but appears as .jpg in the email. When clicked on, the original link runs). This is usually done to hide the fact that this is a malicious greeting card site link that will infect your PC with malware.
|
TXT/Qhost.gen
|
Malicious
|
This is a generic detection for Trojans that modify the hosts file.
|
Exploit-URLSpoof.gen
|
Phishing
|
This is a Trojan that has been seen in large rounds of spam. This is part of various phishing scams, enticing users to navigate to seemingly authentic websites to steal account and personal information.
|
Exploit/Phishing-
|
Phish
|
These emails are scams that do not contain any viral content. They have a link to a fake Web page that steals users' personal details when they attempt to log on . This can also be triggered by forwarding mails that users have received, as well as the occasional false positive.
|
Link-Exploit/Phishing-
|
Phish
|
These emails are scams that do not contain any viral content. They have a link to a fake Web page that steals users' personal details when they attempt to log on . This can also be triggered by forwarding mails that users have received, as well as the occasional false positive.
|
Trojan-Spy.HTML.Fraud.gen
|
Phish
|
These are phishing scam emails that do not contain any viral content. They have a link to a fake Web page that steals users' personal details when they attempt to log on.
|
Exploit/PhishLogin
|
Phish
|
This is a phishing scam mail that was sent to tempt users to log on to a fake banking site.
|
Phish-BankFraud.eml.b
|
Phish
|
These are phishing messages that are designed to steal bank account information.
|
Exploit/BouncedGeneric
|
Speculative
|
This is a deliberate heuristic that is designed to catch bounce backs that contain suspicious attachments such as zip files.
|
Exploit/CVE-
|
Speculative
|
These can be malicious and are usually Microsoft Office documents that exploit vulnerabilities in Office software. However, we do see that occasionally there are a few Office documents that contain similar properties as the exploit and as a result are incorrectly identified as a false positive.
|
Exploit/Fraud-AccUpdate
|
Speculative
|
These are mails that are similar to phishing mails; however, they ask users to reply with their user name and password and are usually for Webmail accounts
|
Exploit/HiddenIFrame-xxxx
|
Speculative
|
This is a hidden iframe contained within an email. When the iframe is executed, it is invisible to the end user.
|
Exploit/Link-
|
Speculative
|
This detection looks at the link contained within an email and checks that the link is correct, such that the extension is correct and not aliased by a different extension.
|
Exploit/Link-DogpileRedirect.gen
|
Speculative
|
This is a detection for links that are using DogPile redirects to direct users to malicious content.
|
Exploit/Link-SuspExe-
|
Speculative
|
This is where a link within an email is to an .exe file that is suspicious.
|
Exploit/Link-ZhelHost-
|
Speculative
|
This is where a URL contained within an email appears to start with an IP address rather than a domain name. The email that arrives in is usually spam that tries to entice the user to visit a website that hosts malware that is downloaded when the user visits the site.
|
Exploit/MimeTypeMismatch
|
Speculative
|
This is where an item in the mail, such as a .jpg, has been incorrectly tagged in the MIME as another item such as a .com file.
|
Exploit/MIMEHeaderLength-
|
Speculative
|
This is a MIME Header that exceeds the recommended length as per:
Common failures that are seen include cases where gateways break the header line into more than one part and insert other headers in between. This can cause unexpected behavior if the MIME structure is destroyed. This can flag for the following fields: Subject, Thread-Index, To, X-MIMETrack & References.
|
Exploit/MouseOver
|
Speculative
|
This is an exploit of the MouseOver function that allows malformed MouseOver code to be used to run arbitrary code. The arbitrary code can be used to obtain personal information or execute specific attacks.
|
Exploit/OLEHiddenEXE
|
Speculative
|
This is an exploit in which an embedded .exe can be hidden in a Word document (OLE file format). The .exe can be used to execute code or even download malicious content to a user's computer.
|
Exploit/RemoteMHTM-
|
Speculative
|
An MHTLM document that is an archived Web page, which can be exploited to drop malicious content on to the recipient's computer.
|
Exploit/RTFEmbeddedExe
|
Speculative
|
This is usually an email with a link to an .exe inside of an .rtf document. The .exe then downloads malicious files to the user's computer.
|
Exploit/SuspExeInOLE
|
Speculative
|
This is usually where a suspicious .exe file has been embedded within a document file. This particular instance is suspicious because the .exe has been embedded within an OLE file.
|
Exploit/SuspLink-
|
Speculative
|
This is usually where a link contained within an email is suspicious.
|
HeurAuto-
|
Speculative
|
This is a detection flagged by traffic heuristics, which has identified a suspicious mail pattern.
|
JS/Decoder
|
Speculative
|
This is a piece of JavaScript that appears to be decoding a section of data, potentially hiding malicious executables or redirects.
|
JS/ExploitExec
|
Speculative
|
A link within an email that has been considered to be suspicious by our link verification (link-following) technologies.
|
JS/Generic
|
Speculative
|
This is usually flagged as suspicious because JavaScript functions have been used to obfuscate certain function calls within an attachment of a mail.
|
JS/Generic.TxSp
|
Speculative
|
This is usually where JavaScript appears to be encoded in such a way that it appears to be spam-like obfuscation.
|
JS/Selfaltering
|
Speculative
|
This is a piece of JavaScript that appears to alter its own content. This is common in scripts designed to obfuscate malicious code or spam.
|
Link-Exploit/Link-
|
Speculative
|
A link within an email that is considered to be suspicious by our link-following technologies.
|
Link-JS/ExploitExec
|
Speculative
|
This is where the link contained in the email appears to be suspicious and has therefore been detected by our link-following technologies.
|
Link-VBS/Generic
|
Speculative
|
This is where the link contained in the email appears to be suspicious and has therefore been detected by link-following.
|
Link-W32/HackedPacker-Generic
|
Speculative
|
The executable is packed (compressed/obfuscated) in an unknown way.
|
MDB/Generic
|
Speculative
|
Generic detection designed to stop MDB (Microsoft Jet DataBase Engine) files that may be vulnerable to arbitrary code-execution attacks.
|
Office/Generic
|
Speculative
|
This is a speculative heuristic for malware in Microsoft Office documents.
|
PNG/Generic
|
Speculative
|
Generic detection of .png (portable network graphics) files that could potentially allow remote code execution.
|
VBS/Generic
|
Speculative
|
Exposed VBA code that directly affects areas of Windows, which is behavior seen previously within malware.
|
W32/Generic-
|
Speculative
|
This is when there are suspicious function calls within a document that can create and run a file.
|
W32/HackedPacker-MalProtector.gen
|
Speculative
|
The executable is packed (compressed/obfuscated) in an unknown way. It may contain self-modifying content.
|
W32/HackedPacker-UPX-
|
Speculative
|
An application that has been packed with a potentially malicious runtime packer or encryptor.
|
W32/Heur-Obfuscated.gen.d-
|
Speculative
|
Adware - A Trojan downloader that obscures itself so that you do not see it downloading malicious programs.
|
W32/Troj-Keylogger.gen-
|
Speculative
|
This is a means to obtain passwords or encryption keys and thus bypass other security measures that you may have in place.
|
W32/Troj-MalInstaller.gen-
|
Speculative
|
Setup installer that has Trojan-like strings that we have not been able to unpack.
|
W32/Troj-StartPage.gen-
|
Speculative
|
A Trojan that hijacks the Internet Explorer home page without your permission.
|
W32/Warezov-Heur
|
Speculative
|
The email contains many features of the mass-mailing virus Warezov.
|
W97M/Generic
|
Speculative
|
Macros within Office documents that call certain functions, which are commonly used to hide malicious activity. Can cause false positives due to the function calls.
|
WMF/Generic
|
Speculative
|
This is generic detection to prevent a vulnerability in Windows Meta File from being exploited.
|
X97M/Generic
|
Speculative
|
Macros within .xls documents that call certain functions, which are commonly used to hide malicious activity. Can cause false positives due to the function calls.
|
ZIP/Generic
|
Speculative
|
This is a generic detection of suspicious .zip files that can be used to hide malware.
|
Exploit/Unpacker
|
Speculative
|
We have been unable to unpack the contents of the mail due to the errors caused by the contents themselves.
|
Exploit/ArchiveRatio
|
Speculative
|
This is a corrupted archive. The files in the archive are too large for the ratio of the archive file.
|
Link-JS/Selfaltering
|
Speculative
|
This is usually a JavaScript link that has the ability to alter itself.
|
Exploit/Link-IFrame-
|
Speculative
|
This is an iframe (an HTM element that makes it possible to embed an HTML document inside another HTML document) that is hidden within the htm file of an email. It is designed to open a hidden iframe to download malicious content from a website, which is a specified link within the source code of the file.
|
HTML/IFrame
|
Speculative
|
This is a hidden iframe that has been appended to a HTML document that downloads malicious content from a website, which is specified within the source code of the file.
|
Word/Generic
|
Speculative
|
This is when there is suspicious shell code contained within a Word document.
|
EMF/Generic
|
Speculative
|
This is a generic detection to prevent a vulnerability in Generic vector graphics being exploited
|
Exploit/MimeBoundary
|
Speculative
|
This means that the mail has been stopped because there is more than one MIME boundary in the email, which violates https://datatracker.ietf.org/doc/html/rfc2822.
|
HHP/Generic
|
Speculative
|
This is a back-door Trojan that allows a remote intruder to gain access and control over the computer.
|
Malformed-Archive
|
Speculative
|
An archive file, such as a .zip file, that is not correctly formed
|
Exploit/MimeBoundary003
|
Speculative
|
This is where the MIME boundaries within the email do not match and have changed. This is usually indicative of a non-delivery report (NDR) or a broken email client. In a normal email these MIME boundaries should not change; therefore, this is suspicious behavior.
|
W32/Delf-Generic-xxxx-xxxx
|
Speculative
|
As a Trojan, this is a PE executable file that is packed with a UPX file compressor.
|
W32/Troj-ProcessInjector-xxxx-xxxx
|
Speculative
|
A Trojan that attempts to hide itself from virus scanners and injects its code into other processes running on the system.
|
W32/Memory-xxxx-xxxx
|
Speculative
|
This is a particular file that we have seen before that is likely a known malicious file.
|
Exploit/IFrame-xxxx
|
Speculative
|
This is a suspicious iframe that is hidden within the htm file of an email. The email is designed to open a hidden iframe to download malicious content.
|
Exploit/LinkExeFreehost-xxxx
|
Speculative
|
This is a link to an executable file that is hosted on a free hosting site that is known to host malicious content.
|
Exploit/MHTLink-
|
Speculative
|
This is a link to an MHTML document that has been archived as a Web page that can be used to host malicious content.
|
Image/AppendedHTML
|
Speculative
|
This is an image file that has had HTML commands or code appended to it that could be malicious.
|
Exploit/ImageAppendedHTML
|
Speculative
|
This is an image file that has had HTML commands or code appended to it that could be malicious.
|
Exploit/SuspiciousCHM
|
Speculative
|
This is when there is an HTML Help Compiled Help File that appears to have suspicious actions contained within it.
|
JS/Feebslike
|
Speculative
|
This is a polymorphic worm that has properties similar to the Feebs virus.
|
Link-Exploit-MSDDS
|
Speculative
|
This is a link to code attempting to exploit a Microsoft Internet Explorer vulnerability.
|
Link-Exploit/SuspLink
|
Speculative
|
These are links contained within an email that link to suspicious or executable files.
|
Link-JS/Decoder
|
Speculative
|
This is a link to decode JavaScript obfuscated code; however, this links to obfuscated JavaScript that may be malicious.
|
Link-JS/Generic
|
Speculative
|
This is a link to a site that contains JavaScript. The functions of the JavaScript have been used to obfuscate certain function calls within the code of the page.
|
Link-VBS/Psyme
|
Speculative
|
This is a link to a website that contains VBS/Psyme viral code that is designed to infect your computer.
|
Link-W32/HackedPacker-MalProtector.gen-xxxx-xxxx
|
Speculative
|
A link to an application that has been packed with a potentially malicious runtime packer or encryptor.
|
Office/Generic
|
Speculative
|
This is detection for suspicious code within Office attachments.
|
X97M/Marker.BM
|
Speculative
|
Macros within Microsoft Office .xls documents calling certain functions, which are commonly used to hide malicious activity. Can cause false positives due to the function calls.
|
XF/Generic
|
Speculative
|
This is where there is suspicious code contained within an .xls attachment.
|
Generic-xxxx
|
Speculative
|
This is detection for suspicious code within Office attachments.
|
Exploit/Generic!tt-xxxx
|
Speculative
|
This is a generic term for possible new malware threats that we will need to review. Some code can cause false positives; however, an example of what has been stopped under this name is fake UPS invoices that contain malware.
|
Exploit/EncryptedArchive
|
Speculative
|
The way in which the archive has been encrypted is suspicious.
|
Exploit/CAN-xxxx-xxxx
|
Speculative
|
These are known exploits that are out in the wild. Further information on these can be found by entering the full name on the following site [http://www.cve.mitre.org/cgi-bin/cvename.cgi?]
|
ZIP/Bagle!ZipBadCRC
|
Speculative
|
This is a .zip file that uses a Bagle-like password and that has a bad checksum (usually because of some form of corruption).
|
W32/Exploit-OLEHiddenEXE-xxxx
|
Speculative
|
This is an exploit where an embedded .exe can be hidden in a Word document (OLE file format). The .exe can be used to execute code or even download malicious content to a user's computer.
|
Outlook/DateExploit
|
Speculative
|
This is usually where the MIME header is incorrectly formatted and has the next line of header starting on the previous line next to the date.
|
ZIP/Generic.dam
|
Speculative
|
This is usually where there is a password-protected zip file that has been sent in an email that contains an image file. The image file could potentially contain the password, and so as a precaution we block this.
|