Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus

July 29th, 2009

What to imagine behind Win32:MalOb [Cryp]

Our users are sometimes confused what can some malware name mean. In fact – there are some names without an special meaning – they are mostly related to short-lived pieces of malware. Contrary to this daily stuff there are some malware families (long-lived, widespread or highly dangerous), which should have some unique name. One of the reasons could be the possibility of effective seeking through the results of search engines (check the difference when you type “Win32:Trojan-gen” and “Win32:Fasec” in your search engine). There’s not a mandatory naming convention applicable to all AV vendors. Our names contain these parts:

- platform (or file type) prefix

- malware name

- malware type

The most frequently used prefixes nowadays are Win32: and JS:, because there’s a majority of Win32 and JavaScript malware. If you want to see some recently active malware families (their names) visit Malware type field is the last part of name (in brackets) and it can be

Trj = trojan horse

Wrm = worm

Rtk = rootkit

Expl = exploit

Cryp = malware cryptor

and few others. Sometimes the malware type is missing. This means either an file infector or some kind of generic malware. You can always use our forums when you are not sure what you’re dealing with. And now the answer to the question in title – what to imagine behind Win32:MalOb [Cryp]?

Win32 – means a platform, that the malware was developed for

MalOb – it’s a shortcut for “malware obfuscator” – this means that the file was modified with some custom tool to hide the bad things

Cryp – cryptor used (only) by malware creators

Btw: the spectrum of malware covered by Win32:MalOb consists of fake antiviruses, fake codecs, spam engines etc.

Categories: lab Tags: , , ,
  • The_Blinded

    Optimizes and simple explanation, thanks!
    I still ask myself why there are so many names for the same malware among different software house. Some of that are very different.

    • Michal Krejdl

      It’s because there are different approaches to detect malware (exact match, algo, heuristics etc) – what someone calls Win32:Agent someone else calls W32/Heur.15f5a8e just because he detected it heuristically. There are only slight differences in names of some well known viruses (e.g. Virut vs. Virux).

  • The_Blinded

    Thanks of the explanation! Now I have understanded.

    And sorry for my English

  • Owais Qureshi

    Thanks for the info,its helpful in understanding the naming conventions used by AVAST..!

  • Juninhoslo

    Thx :)

  • rockernault

    are there no malware for 64bits platform??

    thanks for the explanation… i’ve UNDERSTOOD

    (for the comment #3)
    reading and writing in english is the best way to learn the language.. im from Mexico

  • Pingback: Free Malware Removal()

  • Cristian

    Umm i had a problem I Had A Game Gothic II And Avast Have Finded It like A Virus I Dont No Why I Dont Have Patched This Game And Noting More
    I Played It For few Years And Avast Havent find it like a virus
    Maybe must i Uninstall it And Install???

  • Cristian

    No Uninstall And Install Does Nothing I Did It But Still Virus
    I Bought It In Shop

  • Cristian

    This GothicII.exe is Win32:MalOb [Cryp]

  • Cristian

    Someone Can Help Me?????

  • Michal Krejdl

    This file has been considered as a false positive. The detection will be fixed soon. Wait for the VPS update.

  • Admiral Asmov of Earthship Sea

    Wing Commander Prophecy from GOG triggered a “threat has been detected” warning from Avast. I am un able to determine if it is a false positive or not have heard some horror stories about the Win32:MalOb Cryp so I guess I’ll have to hold of on that game(and Gothic II) until some AV is smart enough to determine if or if NOT it is a false positive/false negative. this game was also flagged a few months ago, so I am going to guess that either Avast is not addressing the issue or indeed, it is a malware and not a false positive in this case GOG is to blame, case in point SOMEONE needs to stand up and fix it I don’t care which end it needs to be corrected! I pay good money for GOG games and for Avast Premier!

  • Admiral Asmov of Earthship Sea

    6 years is a long time, my friend. that is the age of your comment.

  • Admiral Asmov of Earthship Sea

    I am only replying to this rediculously old comment to say it hasn’t been fixed by Avast or Gog. it will not be. go post on GOG all you get is “It is a false positive(as usual)” but it isn’t or Avast would say it wasn’t!