Threat Descriptions

Notable threats

Over the years, some threats have gained infamy for being technological or historical milestones.

Some were the first to introduce a novel feature or technique. Others were able to infect a system, program or institution that was considered 'impregnable' at the time. And a few caused a considerable amount of annoyance or disruption to a lot of users.

Listed below are just a small sample of the most notable malware we've seen so far.



Backdoor:W32/BlackEnergy is a crimeware toolkit that has been modified for use in information gathering in advanced persistent threat (APT) atttacks.


Backdoor:W32/Duqu silently installs files on the infected system, then collects and forwards the confidential information from the system to a remote Command and Control (CC) server. Duqu is reportedly targeted to specific organizations, possibly with a view to collecting specific information that could be used for a later attack.


Havex is a Remote Access Tool (RAT) used in targeted attacks. Havex is known to have been used in attacks targeted against various industrial sectors, particularly the energy sector. Variants seen circulating in the spring of 2014 were modified to target organizations involved in developing or using industrial applications or appliances.


Backdoor:W32/Moudoor is a derivative of the notorious Gh0st Remote Access Tool (RAT) that is notable for being a favored tool of a cyberespionage group that has been working since 2010 and targeting industries such as financial services, government departments and education facilities around the world.


Backdoor:W32/OnionDuke (both A and B variants) are DLL files dropped by Trojan-Dropper:W32/OnionDuke and used to download and execute additional malicious components on the affected system.


Flame is a sophisticated information-gathering program used in targeted cyber-attacks against organizations and nation states in the Middle East.


Rootkit:W32/Regin is a complex espionage toolkit used to keep itself and other malicious components from being detected on an infected system. This malware has reportedly been used to target a variety of organizations around the world.


Trojan-Dropper:W32/CosmicDuke steals information from an infected system using keylogging, screen captures and stealing file and clipboard data. Harvested data is forwarded to a remote server via FTP.


Trojan-Dropper:W32/Stuxnet automatically executes itself and drops files onto the system by exploiting a vulnerability in various Windows versions (CVE-2010-2568) that allows malicious code to run when a specially crafted shortcut icon is displayed. This malware appears to be targeted to businesses using Siemens >SIMATIC WinCC database applications, as its payload involves data theft from these resources.



Cryptolocker encrypts files on the compromised computer and demands a ransom to provide the decryption key needed to decrypt the files.


CTB-Locker is ransomware that encrypts files on the affected machine and demands payment in return for the decryption key needed to restore access to the files.


Trojan-Downloader:JS/Locky is ransomware that encrypts files saved on the machine and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected files.


Petya is ransomware that encrypts the Master Boot Record on a computer and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected machine.


Trojan.TeslaCrypt is ransomware that encrypts files saved on the machine and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected files.


Trojan:Android/SLocker.A is reportedly the first Android ransomware that uses file encryption. It is also noted for its use of the TOR anonymizing network to communicate with its controller.


Trojan:HTML/Browlock is ransomware that prevents users from accessing the infected machine's Desktop; it then demands payment, supposedly for either possession of illegal material or usage of illegal software.


Trojan:W32/BandarChor is ransomware that steals control of the user's machine or data, then demands a payment from the user to restore normal access to the ransomed content or system.


Trojan:W32/Cryptowall is a ransomware that silently encrypts files on the user's machine and demands a ransom to provide the decryption key needed to decrypt the files.



Exploit:Java/Blackhole identifies a Java class module used as part of an exploit kit known as Blackhole.


FlashPack is an exploit kit that attempts to exploit vulnerabilities in a user's computer or mobile device (or in the programs installed on it). If successful, FlashPack will then download additional malware onto the compromised device.


SweetOrange is an exploit kit that runs various exploits against the user's computer in order to probe for any vulnerabilities present in programs installed on the machine, or in the computer's operating system itself; if the exploit(s) are successful, then the user's machine may be compromised and exposed to further intrusion.


Rootkit:W32/Necurs is a standalone malware that was first seen in 2011, but gained more prominence once it started being used in the Gameover Zeus botnet.


Rootkit:W32/ZAccess constantly displays advertisements on the infected machine and may silently contact remote servers to retrieve additional advertising information.


Trojan:W32/Zbot (also known as Zeus or Wsnpoem) is a large family of malware that steals information from an infected system.


Trojan:W32/DNSChanger will change the infected system's Domain Name Server (DNS) settings in order to divert traffic to unsolicited, and potentially illegal sites.


Virus:W32/Ramnit is a family of viruses that infect EXE, DLL and HTML files found on the computer. Depending on the variant, Ramnit-infected machines can also be enslaved in a botnet.


Sality refers to an old, large family of viruses that infect executable files. Over the years, new functionalities have been added to the malware to keep it active and current. Modern Sality variants can, among other things, act as a backdoor and connect infected machines to a botnet.



DroidRooter is a family of binary exploits that is used to gain root privilege on an Android device.


Exploit:Android/GingerBreak is a piece of code that exploits a vulnerability (CVE-2011-1823) in Android operating systems before version 2.3.4 to gain root privileges on the affected device.


HtcLoggers.A is a preinstalled application that might leak confidential information to other applications.


Exploit:Android/Masterkey identifies code designed to exploit a known vulnerability in the way the Android operation system verifies the authenticity of an app.


DroidRooter is a family of binary exploits that is used to gain root privilege on an Android device.


Cracker.A is a tool that can be used to override the security policy in Microsoft Exchange corporate email service.


LoicDos.A is a program that turns an infected device into a bot, which is used to perform denial of service (DoS) attack on a targeted server.


MemPoDroid.A is a tool for exploiting the mem_write function in Android Linux kernel, which upon successful exploitation, could grant an attacker a major access to a compromised device.


SMBCheck.A is a tool that checks whether a vulnerable SMBv2 server exists on a system running on Microsoft Windows operating system.


TattooHack.A is an exploit that lets user bypass a security constraint in HTC Tattoo devices.


Trojan-Downloader:Android/Boqx refers to a maliciously repackaged version of a popular gaming application.

iOS & Mac OS X


Backdoor:iPhoneOS/XCodeGhost identifies iOS apps that include code introduced when the software was created using a maliciously-modified version of the Xcode app creation framework.


Backdoor:iPhoneOS/Xsser is a mobile Remote Administrative Tool (RAT) that was reportedly found on iOS devices.


Exploit:iPhoneOS/CVE-2014-4377 identifies a maliciously crafted PDF document that attempts to exploit the CVE-2014-4377 vulnerability in iOS 7.1.x; successful exploitation would allow an attacker to remotely execute arbitrary code on the affected device.


Trojan:iPhoneOS/SSLCredsThief.A listens to the outgoing SSL connections from a jailbroken iPhone in order to steal the device's Apple ID.


Trojan:iPhoneOS/Adthief.A hijacks the advertisement modules used by other installed apps to display its own advertisements.


Worm:iPhoneOS/Ikee is the first worm to target the Apple iPhone. Its most notable action involves changing the background wallpaper on the device.


Worm:iPhoneOS/Ikee.B is the second variant of the Ikee worm and the first with a clearly malicious attack.


Once installed on a Backdoor:OSX/Clientsnow allows a remote attacker to silently perform actions on the infected machine.


Backdoor:OSX/DevilRobber.A silently installs applications related to Bitcoin-mining; it may also harvest data from the infected machine and listen for additional commands from a remote user.


Backdoor:OSX/Imuler.A contacts a remote server for instructions; it may then steal files or capture a screenshot of the infected computer system, which is then forwarded to the remote server.


Backdoor:OSX/Iworm connects affected Mac OS X machines to a botnet and is capable of a executing a range of commands. At the time of writing, there have been no reports of the IWorm botnet being used for malicious activities.


Backdoor:OSX/Olyx.A connects to a remote server to receive further instructions, without knowledge or permission from the user.


Once installed on a system, Backdoor:OSX/XSLCmd wait for instructions from a remote server and execute them on the infected machine.


Backdoor:OSX/iWorkServ.A is a trojan backdoor that installs itself on Mac OSX computers.


Backdoor:OSX/MacKontrol.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.


Backdoor:OSX/Sabpab.A connects to a remote server to receive further instructions, without the knowledge or permission from the user.


Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.


Trojan-Downloader:OSX/Flashback is a family of malicious applications which when installed on a computer will download a payload from a remote site, then modify targeted webpages displayed in the web browser. Variants in the Flashback family may include additional malicious functionalities or characteristics.


Trojan-Downloader:​​OSX/Jahlev.A entices the user into downloading a fake video codec, which supposedly will solve an Active X object error. The downloaded file is a mountable disk image (DMG) file used by Mac OS X to install applications, and contains an installer package named "install.pkg".


Trojan-Dropper:OSX/Revir.A drops a downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.


Trojan:OSX/Loosemaque.A appears to be a video game, but deletes files from the user home folder when a user plays it.


Worm:OSX/Tored.A is a worm that propagates through infected e-mails and is capable of functioning as a backdoor and keylogger.



The Backdoor:Linux/Meche family covers a wide base of variants that are based on the EnergyMech IRC bot. The bot is widely used by miscreants to compromise Linux installations.


Backdoor:Linux/Shellshock.A identifies files that attempt to exploit the CVE-2014-6271 vulnerability reported in Bash software. If successfully exploited, this vulnerability could allow remote attackers to execute code on the affected system. This vulnerability affects Unix-based operating systems, including Linux and Mac OS X.


DroidRooter.A is a binary exploit that is used to gain root privilege on an Android device.


This worm is related to This worm was found on Monday the 30th of September 2002.


Adore is a worm that spreads in Linux systems using four different, known vulnerabilities already used by the Ramen and Lion worms. These vulnerabilities concern BIND named, wu-ftpd, rpc.statd and lpd services.


This virus spreads only under Linux operating system, infecting Elf-style executables. Found in the wild in February 1997, Bliss is the second known Linux virus (first being Staog).


Kork is a worm that uses the known vulnerability in lpd service to propagate from a vulnerable Linux system to another. This service is part of the default installation of Red Hat Linux 7.0.


Ramen is an Internet worm that propagates from a Linux based server to another. It works in a similar way as the Morris Worm that was widespread in 1989.


This virus spreads only under Linux operating system, infecting Elf-style executables. Found in the fall of 1996, Staog is the first known Linux virus.


Typot is a Linux trojan designed to perform distributed port scanning. One peculiarity of this trojan is that it generates TCP packets with a window size of 55808.


Virus.Win32.Bi.a is a proof-of-concept virus that infects i386 Windows Portable Executable (PE) and Linux ELF files.

Liberty (Palm)

The LIBERTY.A is a simple trojan written for the 3COM Palm platform. When activated, the trojan deletes all application files on the device.


Palm/MTX_II.A is a 'greeting card' Palm application dropped by MTX_II.A Windows virus. The Palm application itself is not malicious but it is dropped as a payload of MTX_II.A.


Obfu is a family of PHP backdoors that operate on any PHP enabled system. The variants belonging to this family are usually heavily obfuscated to prevent an outright detection of their functionality.


Backdoor:Python/Janicab.A is capable of running on both Windows and OS X machines; once installed it continuously takes screenshots and records audio, then forwards these to its command and control server.


Backdoor:Solaris/Wanukdoor.A is dropped by Worm:Solaris/Wanuk.A. It opens port 32982 which provides access to a remote user.


Exploit:PHP/Preamble is a detection for a family of various PHP scripts. The scripts are used to test whether a particular site is vulnerable for a Remote File Inclusion (RFI) exploitation.



Rootkit:Boot/Mebroot is a sophisticated program capable of replacing and controlling the infected system's Master Boot Record (MBR), then downloading and installing additional malware onto the infected system.


FinSpy.A is a version of the FinFisher surveillance software; it is used to remotely monitor a device.



The Aliz worm became widely spread in the end of November 2001. The worm activates automatically while reading an infected email message.


Email-Worm:W32/Nyxem propagates through infectious e-mail file attachments. It is also capable of spreading over a local network. Once installed on a computer, the worm can kill the processes of several applications, as well as preventing other malware from running. Myxem can also perform a Denial of Service (DoS) attack.


Lovsan is a network worm that spreads by exploiting the RPC/DCOM (MS03-026) vulnerability in Windows.


Nimda is a complex virus with a mass mailing worm component which spreads itself in e-mail attachments named README.EXE. It affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000 users.


Net-Worm:W32/Sasser refers to a small family of worms that spread to new hosts over the Internet by targeting the known MS04-011 (LSASS) vulnerability, which is caused by a buffer overrun in the Local Security Authority Subsystem Service.


Stoned.Angelina was reported to be in the wild in Finland in November 1994. In October 1995 it was found on new Seagate 5850 (850 MB) IDE hard disks.


The CIH virus was first located in Taiwan in early June 1998. After that, it has been confirmed to be in the wild worldwide. It has been among the ten most common viruses for several months. CIH has been spreading very quickly as it has been distributed through pirated software.


Virus:W97M/Concept also known as Word Prank Macro or WW6Macro - is a macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.


Slapper is a network worm that spreads on Linux machines by using a flaw discovered in August 2002 in OpenSSL libraries. The worm was found in Eastern Europe late on Friday September 13th 2002.


A standalone malicious program which uses computer or network resources to make complete copies of itself.


Worm:W32/Netsky refers to a large family of worms which spread in infectious files attached to fake e-mail messages. Netsky was originally named Moodoom, or I-Worm.Moodoom.



Brain is possibly the oldest virus known on the DOS platform, as it was first detected in January '86.


Email-Worm:W32/Sober disguises itself as a security warning for a possible new worm and a fix coming from an Anti-Virus company. The worm uses attachment names such as anti_virusdoc.pif, check-patch.bat, playme.exe.


The Win95/Marburg virus got widespread circulation in August 1998, when it was included on the master CD of the popular MGM/EA PC CD-ROM game "Wargames".

Morris Worm

Morris Worm was a Unix-based worm program which was widespread in 1989.


The Ping-Pong virus (also called "Bouncing Ball" or "Italian") was probably the most common and best known boot sector virus for a while, although the Stoned virus now outnumbers it.


Virus:Boot/Ripper infects floppy disk boot records and hard disk Master Boot Records (MBRs). The virus is encrypted with a variable key, which is quite rare among boot sector viruses.


The Stoned.Monkey virus was first discovered in Edmonton, Canada, in the year 1991. The virus spread quickly to USA, Australia and UK. Monkey is one of the most common boot sector viruses.


Elkern is a low-polymorphic cavity infector virus with network spreading capabilities. The virus first appeared on 25th-26th of October 2001.


Virus:Boot/Stoned is a simple virus that seems to have been designed to be harmless. Due to a mistake however, it did not quite work out that way. Stone is able to infect the boot sectors of floppy disks. The virus has spawned a large number of variants.


Virus:W97M/Walker, also known as Virus:W97M/Satellite, is a Word macro virus with extraordinary functions.


Worm:SymbOS/Yxe is the first malicious software to target Symbian S60 3rd Edition Phones.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample


What is a Trojan and why is it harmful? Learn more about trojans and how they work

Read More