1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Threat Platforms

The term Threat Platform is used to refer to the operating system or application on which a malicious program operates.

To indicate the platform a malware will operate on, F-Secure uses a platform designator in the detection name for the malware. For example, the detection for the notorious Downadup worm (also known as Conficker) is:

  • Worm:W32/Downadup

Where ''W32' is the platform designator, and indicates that the malicious program 'Downadup' is designed to work on machines running the 32-bit Windows operating system.

Most malicious programs are designed to function only on one platform, as they must target and exploit specific files or vulnerabilities unique to a particular operating system or application. Some malware are even more specific - they can only run if a specific application is installed on a specific operating system.

Occasionally, a malware is found that is sophisticated enough to operate on more than one platform, but these are still relatively rare.



Listed below are some of the most common platforms targeted by malware.

  • AM
    Macro malware for VBA in Access 97 or later
  • AndroidOS
    Malware that runs on the Android OS
  • ACAD
    Malware or exploits that uses AutoCAD
  • BAT
    Malware that requires DOS, Windows or NT command interpreter or clone (4DOS, 4NT)
  • Boot
    Malware that resides in the Master Boot Record or DOS Boot Sector
  • ChromeOS
    Malware that runs on Chrome OS
  • CM
    VBA macro malware for Corel Draw! v 9.0 or later
  • CS
    Malware for CorelScript interpreter in many Corel products
  • DOS
    Infects DOS COM, EXE (MZ) or SYS files and require some version of MS-DOS or clone
  • HLP
    Malware for WinHelp. Note, JS and VBS script malware embedded in HTML and CHM files should use JS or VBS platform
  • HTML
    For files that only contain a malicious iframe and cannot be classified as JS, PHP or other script
  • IDA
    Malware for IDA Pro
  • INF
    Malware that uses Windows INF files
  • INI
    Malware for mIRC INI files
  • iPhoneOS
    Malware that runs on the iPhone platform
  • MSIL
    Malware for .NET platform
  • Java
    Malware for Java runtime enviroment (standalone or browser-embedded)
  • JS
    Malware for Jscript or JavaScript interpreter. HTML and CHM embedded JS malware falls into this platform type
  • Linux
    Malware that runs on any Linux distribution
  • MacOS
    Malware that runs on MacOS prior to OSX
  • MMS
    Malware that spreads via Multimedia Messaging System (MMS) messages
  • OM
    For malware that infects at least two applications within the Office 97 suite or later. Also includes related products (Visio, Projects)
  • OS2
    Malware that runs on OS/2
  • OSX
    Malware that runs on Mac OSX
  • PM
    Malware for VBA in Project 98 or later
  • PalmOS
    Malware for PalmOS
  • Perl
    Malware that requires a Perl interpreter incl those under WSH and HTML embedded Perl malware
  • PHP
    Malware for PHP script
  • PPM
    Macro malware for VBS in PowerPoint 97 or later
  • PUM
    Macro malware for VBS in Publisher 97 or later
  • REG
    Malware in Windows Registry file format
  • SH
    Malware that requires a Unix(-like) shell script interpreter. Hosting does not affect the platform name. Shell malware specific to Linux, Solaris, HP-UX or other Unices, or specific to csh, ksh, bash, tcsh or other interpreters all fall under this platform name.
  • SMS
    Malware that spreads via Short Messaging System (SMS) messages
  • Solaris
    Malware for Solaris
  • SymbOS
    Malware for Symbian OS
  • SVL
    Malware for Microsoft Silverlight
  • SWF
    Malware for Macromedia Flash
  • Unix
    Malware that runs on Unix, ELF file infectors etc
  • VBS
    Malware for the Visual Basic Script interpreter. Hosting does not affect the platform designator. Standalone VBS infectors that require VBS under WSH, HTML-embedded VBS malware, and malware embedded in Windows compiled HTML help files (CHM), all fall under this platform type.
  • W16
    Malware for 16-bit Windows (native executables)
  • W32
    Malware for 32-bit Windows (native executables)
  • W64
    Malware for 64-bit Windows (native executables)
  • W128
    Malware for 128-bit Windows (native executables)
  • WM
    Macro malware for VBA in Word 97 or later
  • WinCE
    Malware for PocketPC (Windows CE)
  • WinHEX
    Malware for WinHex
  • WMA
    Windows Media Audio (WMA) usually disguised as mp3, that when loaded or played, will redirect to a site that tells the user to download and install a malicious codec to hear the audio
  • WMV
    Windows Media Video (WMV) usually disguised as avi, that when loaded or played, will redirect to a site that tells the user to download and install a malicious codec to view the video
  • XM
    Macro malware for VBA in Excel 97 or later



Get Support online

For documentation and product support, visit our Support site.

Submit a sample

Think a file or URL was falsely detected?

Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)



About Detection Names

A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.