Threat Type
The Threat Type represents the main threat category that describes what the main behavior of the threat is.
- For malware: Trojan, Worm, Virus, Ransomware, Coinminer and Backdoor are the most common threat types that we use.
- For grayware: Adware, Spyware, and PUA are the most common threat types.
Platform
Platform refers to the environment in which the threat is designed to execute and covers both software and hardware. This would include Operating Systems: Windows (Win32, Win64), Mac OS, Linux, and Android, as well as programming languages (scripting language) and file formats (Microsoft Word/Excel/PowerPoint).
Family
Threats with similar behavior are grouped together and referred to as a family. Each family is named based on the behavior it manifests.
Variant
To identify different strains of malware under one family, letters are used in a sequential manner and referred to as the Variant.
Other Information (Optional)
Information deemed useful in providing further insight for some complex threats can make use of this optional section of the naming scheme. For example, dldr means downloader. Therefore, the detection name Ransom.Win32.Locky.A.dldr provides information that this threat is a downloader for the Locky Ransomware.
Trend Micro plans to implement this new detection naming scheme in a phased approach. The initial focus will be on customer submitted samples and noteworthy threats, and eventually will encompass all channels including bulk submissions and other sourcing methods.
We believe that aligning more closely with the CARO standards is beneficial for customers, especially those who use a mixed-vendor security environment and require cross-checking of threats.
We apologize in advance for any inconvenience this may cause, and encourage customers to contact their authorized Trend Micro support representative for any questions or concerns with the new naming scheme.
Answers to Frequently Asked Questions
| Threat Type | Description |
|---|---|
| Adware | Adware |
| Backdoor | Threats may allow unauthorized users to access your computer across the Internet. |
| Boot | MBR (Master Boot Record) Malware |
| Browser | Browser Exploits |
| Coinminer | Cryptocurrency Mining Malware |
| DDoS | Distributed Denial of Service threats |
| Dialer | Dials a phone number without asking for permission. |
| Exploit | Uses a vulnerability or a software defect. |
| HackTool | Hacking/hackers tool |
| Joke | Joke programs |
| PUA | Potentially Unwanted Application |
| Ransom | Ransomware |
| Rootkit | Rootkit |
| Spyware | Monitors browsing habits or other behavior and sends the information out, often for unsolicited advertising. |
| Trojan | Trojan |
| TrojanClicker | Trojan clickers |
| TrojanProxy | Trojan proxy |
| TrojanSpy | Trojan Spyware (Malicious Spyware) |
| Virus | Infectors, File Infectors |
| Worm | Indicates a worm, not a virus. Worms make copies of themselves that they send across a network or using email, or another transport mechanism |
| Platform | Short Description |
|---|---|
| A97M | Access 97, 2000, XP, 2003, 2007, and 2010 macros |
| ABAP | Advanced Business Application Programming scripts |
| ACM | AutoCAD macro malware |
| AM | For Access 2.0 and Access 95 macro malware |
| AmiPro | AmiPro script |
| AndroidOS | Android operating system |
| ASP | Active Server Pages scripts |
| ASX | XML metafile of Windows Media .asf files |
| AutoIt | AutoIT scripts |
| BAT | For Batch File malware |
| CorelScript | Corelscript scripts |
| DOS | MS-DOS platform |
| EPOC | For Psion malicious codes (predecessor of Symbian) |
| FreeBSD | FreeBSD platform |
| HTML | HTML Application scripts |
| INF | Install scripts |
| iOS | iPhone operating system |
| IRC | mIRC/pIRC scripts |
| Java | Java binaries (classes) |
| JS | Threats that are written using the JavaScript programming language. |
| Linux | Virus or Trojan-horse program compiled for Linux OS in ELF file format |
| MacOS | MacOS X or later |
| MSIL | .Net intermediate language scripts |
| Netware | Novell Netware files |
| O97M | Office 97, 2000, XP, 2003, 2007, and 2010 macros - that affect Word, Excel, and Powerpoint |
| For Portable Document Format (PDF) | |
| Perl | For PERL Script malware |
| PHP | Hypertext Preprocessor scripts |
| P97M | PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros |
| Python | Python scripts |
| QT | Quicktime files |
| SAP | SAP platform scripts |
| SB | StarBasic (Staroffice XML) files |
| SH | Shell scripts |
| Solaris | System V-based Unix platforms |
| SunOS | Unix platforms 4.1.3 or lower |
| SWF | Shockwave Flash files |
| SymbOS | Symbian operating system |
| TSQL | MS SQL server files |
| Unix | General Unix platforms |
| V5M | Visio5 macros |
| VBS | Visual Basic scripts |
| W97M | Word 97, 2000, XP, 2003, 2007, and 2010 macros |
| WASM | Web Assembly |
| Win16 | Win16 (3.1) platform |
| Win32 | Windows 32-bit platform |
| Win64 | Windows 64-bit platform |
| WinBAT | Winbatch scripts |
| WinCE | For Windows CE and WindowsMobile malware |
| WinHlp | Windows Help scripts |
| WinNT | Windows NT |
| WinREG | Windows registry scripts |
| WM | Word 95 macros |
| WSF | Windows Script File |
| X97M | Excel 97, 2000, XP, 2003, 2007, and 2010 macros |
| XF | Excel formulas |
| XM | Excel 95 macros |
| XML | For XML-written malware |
| Old | New |
|---|---|
| RANSOM_BADRABBIT.SM | Ransom.Win32.Badrabbit.SM |
| JS_LOCKY.A | Ransom.JS.Locky.A |
| HTML_RANSOMNOTE | Ransom.HTML.Locky.A.note |
| ADW_OPENCANDY.GB | Adware.Win32.OpenCandy.GB |
| COINMINER_CRYPTONIGHT.SM | Coinminer.WASM.Cryptonight.SM |
| ELF_BASHLITE.K | Trojan.Linux.Bashlite.K |
| HKTL_MIMIKATZ.A | Hacktool.Win32.Mimikatz.A |
| JAVA_DLOAD.BAY | Trojan.Java.DLOAD.BAY |
| JOKE_PCHAUNT.A | Joke.Win32.PCHaunt.A |
| OSX_GEONEI.A | Adware.MacOS.Geonei.A |
| PE_PARITE.A | Virus.Win32.Parite.A |
| PUA_ReimageRepair.B | PUA.Win32.ReimageRepair.B |
| TROJ_KOVTER.SM | Trojan.Win32.Kovter.SM |
| TSPY_DRIDEX.YJL | TrojanSpy.Win32.Dridex.YJL |
| VBS_COINMINE.E | Coinminer.VBS.Coinmine.E |
| WORM_DOWNAD.KK | Worm.Win32.Downad.KK |