Heuristic and proactive detections

Defining objects detected by the heuristic analyzer or proactive defense module

The Kaspersky Lab antivirus databases contain an enormous number of heuristics (no prefix is used in the names of these heuristics). Furthermore, in 2007, the company introduced a separate heuristic module which contained all the latest technological developments. When an object is detected by this module, the name of the object begins with the “HEUR:” prefix.

The proactive defense module is a module that monitors the sequence of actions conducted by an application in the system, and if suspicious activity is detected, the application is blocked to prevent it from conducting further activity. If an object is detected by the PDM, the name of the object begins with the “PDM:” prefix.

Both modules analyze the activity (or sequence of activities) of an object. If the activity is typical of a malicious program, then the object will be detected by either the heuristic analyzer or the PDM.

The Malware class covers the following detected objects:

HEUR:Worm.[Platform].Generic

Objects covered by this classification run a search on remote computers and attempt to copy themselves to read/write accessible directories, search accessible network directories using operating system functions, and/or conducts a random search for computers.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Virus.[Platform].Generic

Objects covered by this classification create copies of themselves on the local resources of the victim computer.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Email-Worm.[Platform].Generic

Objects covered by this classification attempt to send copies of themselves in the form of an email attachment, or as a link to their own files located on a network resource.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Virus.[Platform].Infector

Objects covered by this classification search a computer for files and write a range of information to these files. Such an object may, for example, write its body to an executable file or write HTML code which contains a link to files with .html, .php, .asp, and other extensions.

The [Platform] field may be either “Script” or “Win32.”

PDM:Worm.Win32.Generic

Objects covered by this classification search for networks of remote computers and attempt to copy themselves to read/write accessible directories, search accessible network directories using operating system functions and/or conduct a random search for computers.

PDM:P2P-Worm.Win32.Generic

Objects covered by this classification copy themselves to folders commonly associated with P2P clients, modify registry keys associated with P2P clients, etc.

HEUR:Trojan.[Platform].Generic

Objects covered by this classification delete, block, modify, or copy information, and disrupt the performance of computers or computer networks.
The [Platform] field may be either “Script” or “Win32.”

HEUR:Trojan.Win32.Invader

Objects covered by this classification inject their code into the address space of other processes.

This tactic is often used by virus writers in order to perform a variety of actions as though they are being performed by a trusted application.

HEUR:Trojan.[Platform].AntiAV

Objects covered by this classification prevent antivirus programs and firewalls from working.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Trojan.[Platform].KillFiles

Objects covered by this classification delete user files and/or operating system files.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Trojan.[Platform].StartPage

Objects covered by this classification modify the StartPage, SearchPage, and other Internet browser settings.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Trojan.Script.Iframer

Objects covered by this classification access Internet resources without the user’s knowledge by using hidden tags.

HEUR:Trojan.[Platform].Cryptic

Objects covered by this classification are highly encrypted or obfuscated.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Backdoor.[Platform].Generic

Objects covered by this classification enable a malicious user to remotely control the victim computer.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Trojan-Downloader.[Platform].Generic

Objects covered by this classification are designed to download and install new versions of malicious programs to the victim computer.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Trojan-PSW.[Platform].Generic

Objects covered by this classification are designed to steal user account information (logins and passwords) from victim computers.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Trojan-Dropper.[Platform].Generic

Objects covered by this classification stealthily install other malicious programs from the body of the original malicious program to the victim machine.

The [Platform] field may be either “Script” or “Win32.”

HEUR:Exploit.[Platform].Generic

Objects covered by this classification exploit one or more software vulnerabilities on a local or remote computer.

The [Platform] field may be either “Script” or “Win32.”

PDM:Trojan.Win32.Generic

Objects covered by this classification delete, block, modify, or copy information, or disrupt the performance of computers and/or computer networks.

PDM:Rootkit.Win32.Generic

Objects covered by this classification hide certain objects or activities on the system. Programs designed to stealthily install drivers which demonstrate Rootkit behaviour to the victim machine are also detected by this classification.

The Adware class covers HEUR:Adware.[Platform].Generic:

HEUR:Adware.[Platform].Generic

Objects covered by this classification redirect search requests.

The [Platform] field may be either “Script” or “Win32.”

The Riskware covers PDM:Monitor.Win32.Keylogger:

PDM:Monitor.Win32.Keylogger

Objects covered by this classification log the keys pressed on a computer keyboard.

If the user or a network administrator installed this type of program to the computer, then it does not pose a threat.