Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


July 29th, 2009

What to imagine behind Win32:MalOb [Cryp]

Our users are sometimes confused what can some malware name mean. In fact – there are some names without an special meaning – they are mostly related to short-lived pieces of malware. Contrary to this daily stuff there are some malware families (long-lived, widespread or highly dangerous), which should have some unique name. One of the reasons could be the possibility of effective seeking through the results of search engines (check the difference when you type “Win32:Trojan-gen” and “Win32:Fasec” in your search engine). There’s not a mandatory naming convention applicable to all AV vendors. Our names contain these parts:

- platform (or file type) prefix

- malware name

- malware type

The most frequently used prefixes nowadays are Win32: and JS:, because there’s a majority of Win32 and JavaScript malware. If you want to see some recently active malware families (their names) visit www.avast.com/eng/latest-virus-report.html. Malware type field is the last part of name (in brackets) and it can be

Trj = trojan horse

Wrm = worm

Rtk = rootkit

Expl = exploit

Cryp = malware cryptor

and few others. Sometimes the malware type is missing. This means either an file infector or some kind of generic malware. You can always use our forums when you are not sure what you’re dealing with. And now the answer to the question in title – what to imagine behind Win32:MalOb [Cryp]?

Win32 – means a platform, that the malware was developed for

MalOb – it’s a shortcut for “malware obfuscator” – this means that the file was modified with some custom tool to hide the bad things

Cryp – cryptor used (only) by malware creators

Btw: the spectrum of malware covered by Win32:MalOb consists of fake antiviruses, fake codecs, spam engines etc.

Categories: lab Tags: , , ,
  • The_Blinded

    Optimizes and simple explanation, thanks!
    I still ask myself why there are so many names for the same malware among different software house. Some of that are very different.

    • http://www.avast.com Michal Krejdl

      It’s because there are different approaches to detect malware (exact match, algo, heuristics etc) – what someone calls Win32:Agent someone else calls W32/Heur.15f5a8e just because he detected it heuristically. There are only slight differences in names of some well known viruses (e.g. Virut vs. Virux).

  • The_Blinded

    Thanks of the explanation! Now I have understanded.

    P.S.
    And sorry for my English

  • Owais Qureshi

    Thanks for the info,its helpful in understanding the naming conventions used by AVAST..!

  • Juninhoslo

    Thx :)

  • http://foro.xinformatica.net rockernault

    are there no malware for 64bits platform??
    xD

    thanks for the explanation… i’ve UNDERSTOOD

    (for the comment #3)
    reading and writing in english is the best way to learn the language.. im from Mexico

  • Pingback: Free Malware Removal

  • Cristian

    Umm i had a problem I Had A Game Gothic II And Avast Have Finded It like A Virus I Dont No Why I Dont Have Patched This Game And Noting More
    I Played It For few Years And Avast Havent find it like a virus
    Maybe must i Uninstall it And Install???

  • Cristian

    No Uninstall And Install Does Nothing I Did It But Still Virus
    I Bought It In Shop

  • Cristian

    This GothicII.exe is Win32:MalOb [Cryp]

  • Cristian

    Someone Can Help Me?????

  • http://www.avast.com Michal Krejdl

    @Cristian
    This file has been considered as a false positive. The detection will be fixed soon. Wait for the VPS update.