Dr.Web virus classification

"HLL." (High Level Language) - the viruses written in high level programming languages (such as C, C++, Pascal, Basic, etc). In some cases the code of the compiled HLL-viruses is packed with different compression utilities (PKLITE, LZEXE, DIET, etc).

There are several classes of HLL-viruses:

• "HLLC." (High Level Language Companion) - the virus which employ an infection algorithm based on manipulation of filenames in the file system. Generally, the HLLC-viruses rename the original executable file (or move it to another folder) and then use the original executable file name to create the copy of the virus in its place.
• "HLLO." (High Level Language Overwriting) -the viruses which overwrite the data of the affected file.
• "HLLP." (High Level Language Parasitic) - the viruses which infect executable files without any critical damage of the original data of the affected file.
• "HLLW." (High Level Language Worm) - the viruses which do not need any host file to spread. They just copy themselves to disk directories.
• "HLLM." (High Level Language MassMailing Worm) - the virus worm programs of mass distribution written in high level programming languages.

These viruses use the features of file formats and built-in macro languages of MS Office applications (Word Basic for MS Word 6.0-7.0; VBA3 for MS Excel 5.0-7.0; VBA5 for MS Office'97; VBA6 for MS Office'2000).

• "WM." - infect MS Word 6.0-7.0 documents and templates;
• "XM." - infect MS Excel 5.0-7.0 sheets;
• "W97M." - infect MS Word 8.0-9.0 (MS Office'97/2000) documents and templates;
• "X97M." - infect MS Excel 8.0-9.0 (MS Office'97/2000) sheets;
• "A97M." - infect MS Access'97/2000 databases;
• "O97M." - "multi-platform" macro viruses for several MS Office applications simultaneously.

• "Trojan." - it is a common name for different "Trojan horse" programs.
• "PWS." - password stealing Trojans. Generally, combined with "Trojan." prefix - "Trojan.PWS."
• "Backdoor." - it is a Trojan horse program which contains a RAT-function inside (RAT - Remote Administration Tool).

These viruses are written in different script languages. As a rule, VBS-, JS- and WScript- viruses are worms that use email services to spread.

• "VBS." - viruses are written in Visual Basic Script language;
• "JS." - viruses are written in Java Script language;
• "WScript." - VBS- and/or JS- worms are often embedded in HTML-files.
• "BAT." - viruses are written in MS-DOS command interpreter language

• "Win." - infects Windows 16-bit executable programs (NE). NE - NewExe - Windows 3.xx executable files format. Some of these viruses can work not only in Windows'3.xx environment but in Win'95/98/NT too.
• "Win95." - infects Windows 32-bit executables (PE and LE(VxD)) and works only in Windows 95/98 environment
• "WinNT." - infects Windows 32-bit executables (PE) and works only in Windows NT environment
• "Win32." - infects Windows 32-bit executables (PE) and works in different Win32-environments - Windows 95/98/NT
• "OS2." - infects OS/2 executable programs (LX) and works only in OS/2 environment
• "Linux." - infects Linux executable programs and works only in Linux environment
• "Java." - viruses which are written in the Java language

These are the viruses which don't have any special characteristic (such as text strings, special effects, etc.) and therefore cannot be given any unique name.

• "SillyC." - non-resident, infect only COM-files;
• "SillyE." - non-resident, infect only EXE-files;
• "SillyCE." - non-resident, infect only COM- and EXE-files;
• "SillyRC." - resident, infect only COM-files;
• "SillyRE." - resident, infect only EXE-files;
• "SillyRCE." - resident, infect only COM- and EXE-files;
• "SillyO." - non-resident viruses which overwrite affected files ;
• "SillyOR." - resident viruses which overwrite affected files.

• "IRC." - worms spreading via Internet Relayed Chat channels.

We also use such postfixes

• ".generator" - specifies the so called "Virus constructor" programs themselves.
• ".based" - this suffix means that the virus was generated by specified virus constructor program or that the virus was designed as a generic modification of specified "basic" virus code.
• ".dropper" - it is a common name for "installator" of a specified virus. This is not a virus, but when this "dropper" is run, it produces a virus and installs it into the operating system (into executable file, document, boot sector, etc).