Threat Description

Heuristic detection

Details

Aliases:Heuristic detection, Gen:Trojan.Heur, Gen:Heur, Could be infected with an unknown virus, Memscan:trojan
Category:Malware
Type:
Platform:W32

Summary



The file appears to be suspicious, is potentially undesirable, or may be structured in a way or has characteristics that resembles known malware. This may indicate the presence of a malware infection, or that the suspect file is malicious.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



F-Secure security programs includeheuristic enginesthat perform extended file analysis during a system scan in order to identify suspicious, malware-like code or potentially harmful routines.

For more information about heuristics, please see Terminology: Heuristic Analysis.

Once found, the program may either automatically disinfect the suspect file, or prompt the user for their desired action. If in doubt, or in cases where a legitimate file is suspected to contain malicious code, please send a sample to F-Secure Security Labs via the Sample Analysis System for analysis.

Actual detection names used by the heuristic engines may vary, and include:

Possibly Infected With an Unknown Virus
Saattaa olla tuntemattoman viruksen saastuttama
Possibly a mass mailing worm
Virus-like code found by heuristics
Deepscan:generic.malware
Gen:Heur
Possibly Destructive Program
New or Modified Variant Of
Viruses cannot be disinfected unless they are identified

The suspect file found on the computer system showed malicious/potentially damaging routines or characteristics.

Gen:Trojan.Heur

The suspect file contains trojan-like code or behavior.

Memscan:

After a suspect file has been emulated in a 'virtual' environment, the virtual memory is examined for malware.

Possible misdisinfected virus

The suspect document or a workbook may contain an incompletely disinfected virus.

Suspicious Win32 PE

A Windows program file contains suspicious code; this may be either a unknown virus or simply virus-like code. Please send a sample to F-Secure Labs for analysis.

Type_Com

The suspect file contains virus-like code resembling a COM file infector virus. For more information about file infector viruses, please see Terminology: File Virus.

Type_ComTSR

The suspect file contains contains virus-like code resembling a memory resident COM file infector virus. For more information about file infector viruses, please seeTerminology: File Virus.

Type_Exe

The suspect file contains contains virus-like code resembling an EXE file infector virus. For more information about file infector viruses, please see Terminology: File Virus.

Type_ExeTSR

The suspect file contains contains virus-like code resembling a memory-resident EXE file infector virus. For more information about file infector viruses, please seeTerminology: File Virus.

Type_ComExe

The suspect file contains contains virus-like code resembling a file infector virus that may affect COM and EXE files. For more information about file infector viruses, please see Terminology: File Virus.

Type_ComExeTSR

The suspect file contains contains virus-like code resembling a memory-resident file infector virus that may affect both/either COM and EXE files. For more information about file infector viruses, please see Terminology: File Virus.

Type_Boot

The suspect file contains contains virus-like code resembling a BOOT sector infector virus. For more information about file infector viruses, please see Terminology: Boot Virus.

Type_Trojan

Found trojan-like code in file or boot record. For more information about trojans, please see Terminology: Trojan.

Type_Win32

Found virus-like code resembling a Windows 95/98/NT EXE file infector virus. For more information about infector viruses, please see Terminology: File Virus.

Type_Formula

A Microsoft Excel sheet containing a 'CALL' instruction was found. This relates to a known security vulnerability. Further information is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms98-018.asp.

Type_RemoteTemplate

A Microsoft Word document containing a reference to a remote template (i.e., not in the local machine) was found. This relates to a known security vulnerability. Further information is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms99-002.asp.

Type_Script

A suspicious fragment in a program written with a scripting language (e.g., JavaScript or Visual Basic Script) was found. This relates to a known security vulnerability. Further information is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms99-002.asp.

JS.ActiveXComponent

A HTML page containing references to a known vulnerability in the Internet Explorer web browser was found. Further information, including a fix, is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms00-075.asp.

HTML.SecurityBreach.2 HTML.SecurityBreach.3

A suspicious reference to a script object has been found. Further information about the vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp.

NOTE:

If a legitimate file contains potentially damaging routines or suspicious code, F-Secure products will flag it as Suspicious as a precautionary measure.

Subsequent analysis may then determine the file is in fact a False Alarm, or a False Positive. The relevant detection will then be modified to ensure the issue does not reoccur.

For more information about the latest False Alarms, please see the False Positive description.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More