Threat Research

What to imagine behind Win32:MalOb [Cryp]

Michal Krejdl, 29 July 2009

What to imagine behind Win32:MalOb [Cryp]

Our users are sometimes confused what can some malware name mean. In fact - there are some names without an special meaning - they are mostly related to short-lived pieces of malware. Contrary to this daily stuff there are some malware families (long-lived, widespread or highly dangerous), which should have some unique name. One of the reasons could be the possibility of effective seeking through the results of search engines (check the difference when you type "Win32:Trojan-gen" and "Win32:Fasec" in your search engine). There's not a mandatory naming convention applicable to all AV vendors. Our names contain these parts:

- platform (or file type) prefix

- malware name

- malware type

The most frequently used prefixes nowadays are Win32: and JS:, because there's a majority of Win32 and JavaScript malware. If you want to see some recently active malware families (their names) visit Malware type field is the last part of name (in brackets) and it can be

Trj = trojan horse

Wrm = worm

Rtk = rootkit

Expl = exploit

Cryp = malware cryptor

and few others. Sometimes the malware type is missing. This means either an file infector or some kind of generic malware. You can always use our forums when you are not sure what you're dealing with. And now the answer to the question in title - what to imagine behind Win32:MalOb [Cryp]?

Win32 - means a platform, that the malware was developed for

MalOb - it's a shortcut for "malware obfuscator" - this means that the file was modified with some custom tool to hide the bad things

Cryp - cryptor used (only) by malware creators

Btw: the spectrum of malware covered by Win32:MalOb consists of fake antiviruses, fake codecs, spam engines etc.