New malware classification system

Kaspersky Lab is currently switching to a new malware classification system

Glossary: Malware

Malware (short for malicious software) refers to any program that is deliberately created to perform an unauthorized, often harmful, action.


The new system will make it easier to navigate the virus descriptions.

Naming of malicious programs

Each malicious program is given a name which has several parts.

Any program which is given a name containing the term VirWare, TrojWare, MalWare, RiskWare, AdWare or PornWare will be a malicious program.

The name of each malicious program can be broken down in the following way:

Verdict: verdict clarification

Verdict clarification includes the following categories:


Verdict: this is an umbrella description which covers the main characteristics of a virus sample: VirWare, TrojWare, MalWare, RiskWare, AdWare, PornWare, SPAM, or Attack.

Behaviour: this defines the malicious program’s payload. Backdoor, Virus etc. are all examples of Behaviour. A less threatening behaviour will be subsumed by the most threatening behaviour. For example, if a program has a backdoor function, but also infects files, the behaviour will be classified as Virus. If in addition to these behaviours, the malicious program spreads via network connections, the behaviour will be classified as Worm.

Sub-behaviour: this category is only used if the malicious program has a sub-behavior. It defines the main behaviour further. For instance, a malicious program classified as Trojan-Spy has the sub-behaviour Spy and so on. The sub-behaviour term is separated from the behavior term by a dash.

In the case of worms, the sub-behaviour term will be a prefix to the main behaviour term: P2P-Worm, Net-Worm etc.

OS gives the operating system in which the malicious program functions eg. Win32, BAT, IRC etc.

Name: the name which the Virus Lab has given to the malicious program.

Modification: shows the different versions of a malicious program grouped under one name.

An example of a name under the new classification system would be Trojan-Dropper.Win32.Agent.a – a Trojan which drops another malicious program, operates in Win32. The Virus Lab has named this program Agent, and this particular program is modification a, the first in a series.

Names of malicious programs always include the Behaviour, OS, Name and Modification terms.

New malware classification system

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox