Dr.Web virus classification

"HLL." (High-Level Language): Viruses written in high-level programming languages (such as C, C++, Pascal, Basic, etc.). In some cases the code of the compiled HLL viruses is packed with different compression utilities (PKLITE, LZEXE, DIET, etc.).

There are several classes of HLL-viruses:

• "HLLC." (High-Level Language Companion): Viruses that employ an infection algorithm based on the manipulation of filenames in the file system. Generally the HLLC virus renames the original executable file (or moves it to another folder) and then uses the original executable filename to create a copy of the virus in its place.
• "HLLO." (High-Level Language Overwriting): Viruses that overwrite the data of the affected file.
• "HLLP." (High-Level Language Parasitic): Viruses that infect executable files without damaging the original data file.
• "HLLW." (High-Level Language Worm): Viruses that do not need any host file to spread; they just copy themselves to disk directories.
• "HLLM." (High-Level Language MassMailing Worm): Virus worm programs of mass distribution written in high-level programming languages.

These viruses use the features of file formats and built-in macro languages of MS Office applications (Word Basic for MS Word 6.0-7.0; VBA3 for MS Excel 5.0-7.0; VBA5 for MS Office'97; VBA6 for MS Office'2000).

• "WM." - infect MS Word 6.0-7.0 documents and templates;
• "XM." - infect MS Excel 5.0-7.0 sheets;
• "W97M." - infect MS Word 8.0-9.0 (MS Office'97/2000) documents and templates;
• "X97M." - infect MS Excel 8.0-9.0 (MS Office'97/2000) sheets;
• "A97M." - infect MS Access'97/2000 databases;
• "O97M." - "multi-platform" macro viruses for several MS Office applications simultaneously.

• "Trojan." - it is a common name for different "Trojan horse" programs.
• "PWS." - password stealing Trojans. Generally, combined with "Trojan." prefix - "Trojan.PWS."
• "Backdoor." - it is a Trojan horse program which contains a RAT-function inside (RAT - Remote Administration Tool).

These viruses are written in different script languages. As a rule, VBS-, JS- and WScript- viruses are worms that use email services to spread.

• "VBS." - viruses are written in Visual Basic Script language;
• "JS." - viruses are written in Java Script language;
• "WScript." - VBS- and/or JS- worms are often embedded in HTML-files.
• "BAT." - viruses are written in MS-DOS command interpreter language

• "Win." - infects Windows 16-bit executable programs (NE). NE - NewExe - Windows 3.xx executable files format. Some of these viruses can work not only in Windows'3.xx environment but in Win'95/98/NT too.
• "Win95." - infects Windows 32-bit executables (PE and LE(VxD)) and works only in Windows 95/98 environment
• "WinNT." - infects Windows 32-bit executables (PE) and works only in Windows NT environment
• "Win32." - infects Windows 32-bit executables (PE) and works in different Win32-environments - Windows 95/98/NT
• "OS2." - infects OS/2 executable programs (LX) and works only in OS/2 environment
• "Linux." - infects Linux executable programs and works only in Linux environment
• "Java." - viruses which are written in the Java language

These are the viruses which don't have any special characteristic (such as text strings, special effects, etc.) and therefore cannot be given any unique name.

• "SillyC." - non-resident, infect only COM-files;
• "SillyE." - non-resident, infect only EXE-files;
• "SillyCE." - non-resident, infect only COM- and EXE-files;
• "SillyRC." - resident, infect only COM-files;
• "SillyRE." - resident, infect only EXE-files;
• "SillyRCE." - resident, infect only COM- and EXE-files;
• "SillyO." - non-resident viruses which overwrite affected files ;
• "SillyOR." - resident viruses which overwrite affected files.

• "IRC." - worms spreading via Internet Relayed Chat channels.

We also use such postfixes

• ".generator" - specifies the so called "Virus constructor" programs themselves.
• ".based" - this suffix means that the virus was generated by specified virus constructor program or that the virus was designed as a generic modification of specified "basic" virus code.
• ".dropper" - it is a common name for "installator" of a specified virus. This is not a virus, but when this "dropper" is run, it produces a virus and installs it into the operating system (into executable file, document, boot sector, etc).