|
|
|
|
|
|
Name
|
Description
|
|---|---|
|
Deletes antivirus registry entry
|
Removal of registry entries associated with
security software may prevent these software from running.
|
|
Disables antivirus service
|
Disabling of services associated with security software
may prevent these software from running.
|
|
Stops or modifies antivirus service
|
Stopping or modification of services associated
with security software may prevent these software from running.
|
|
Uses suspicious packer
|
Malware are often compressed using packers
to avoid detection and prevent reverse engineering.
|
|
Name
|
Description
|
|---|---|
|
Adds Active Setup value in registry
|
Values in the Active Setup registry key
are used by Windows components. Malware may add such values to automatically
run at startup.
|
|
Adds autorun in registry
|
Addition of autorun registry keys enables
malware to automatically run at startup.
|
|
Adds scheduled task
|
Scheduled tasks are used to automatically
run components at predefined schedules. Malware may add such tasks
to remain active on affected systems.
|
|
Adds startup file or folder
|
Windows automatically opens files in the
startup folder. Malware may add a file or folder in this location
to automatically run at startup and stay running.
|
|
Modifies AppInit_DLLs in registry
|
Modification of DLLs in the AppInit_DLLs
registry value may allow malware to inject its code into another
process.
|
|
Modifies file with infectible type
|
Certain types of files that are located
in non-system folders may be modified by malware. These include shortcut
links, document files, dynamic link libraries (DLLs), and executable
files.
|
|
Modifies firewall settings
|
Malware may add a firewall rule to allow
certain types of traffic and to evade firewall protection.
|
|
Modifies important registry entries
|
Malware may modify important registry entries, such
as those used for folder options, browser settings, service configuration,
and shell commands.
|
|
Modifies IP address
|
Malware may modify the IP address of an
affected system to allow remote entities to locate that system.
|
|
Modifies system file or folder
|
Modification of system files and usage of
system folders may allow malware to conceal itself and appear as
a legitimate system component.
|
|
Name
|
Description
|
|---|---|
|
Creates message box
|
A fake message box may be displayed to trick
users into construing malware as a legitimate program.
|
|
Drops fake system file
|
Files with names that are identical or similar
to those of legitimate system files may be dropped by malware to
conceal itself.
|
|
Uses deceiving extension
|
A deceiving file extension may be used to
trick users into construing malware as a legitimate program.
|
|
Uses double DOS header
|
The presence of two DOS headers is suspicious because
it usually occurs when a virus infects an executable file.
|
|
Uses double extension with executable tail
|
Double file extension names are commonly
used to lure users into opening malware.
|
|
Uses fake icon
|
Icons from known applications or file types
are commonly used to lure users into opening malware.
|
|
Uses fake or uncommon signature
|
Malware may use an uncommon, fake, or blacklisted file
signature.
|
|
Uses file name associated with pornography
|
File names associated with pornography are commonly
used to lure users into opening malware.
|
|
Uses spoofed version information
|
Malware may use spoofed version information,
or none at all.
|
|
Name
|
Description
|
|---|---|
|
Copies self
|
Malware may create copies of itself in one
or more locations on the system. These copies may use different
names in order to lure the user into opening the file.
|
|
Creates multiple copies of a file
|
Multiple copies of a file may be created
by malware in one or more locations on the system. These copies may
use different names in order to lure the user into opening the file.
|
|
Deletes file
|
Malware may delete a file to compromise
the system, to remove traces of the infection, or to prevent forensic
analysis.
|
|
Deletes self
|
Malware may delete itself to remove traces
of the infection and to prevent forensic analysis.
|
|
Downloads executable
|
Downloading of executable files is considered suspicious
because this behavior is often only attributed to malware and applications
that users directly control.
|
|
Drops driver
|
Many drivers run in kernel mode, allowing
them to run with high privileges and gain access to core operating
system components. Malware often install drivers to leverage these
privileges.
|
|
Drops executable
|
An executable file may be dropped by malware
in one or more locations on the system as part of its installation
routine.
|
|
Drops file with infectible type
|
Certain types of files, such as shortcut
links and document files, may be dropped by malware. Shortcut links
are often used to lure users into opening malware, while document
files may contain exploit payload.
|
|
Drops file into shared folder
|
A file may be dropped by malware in a shared
folder as part of its propagation routine, or to enable transmission
of stolen data.
|
|
Executes dropped file
|
Execution of a dropped file is considered
suspicious because this behavior is often only attributed to malware
and certain installers.
|
|
Renames downloaded file
|
Malware may rename a file that it downloaded
to conceal the file and to avoid detection.
|
|
Shares folder
|
A folder may be shared by malware as part
of its propagation routine, or to enable transmission of stolen
data.
|
|
Name
|
Description
|
|---|---|
|
Installs keylogger
|
Hooking of user keystrokes may allow malware
to record and transmit the data to remote third parties.
|
|
Installs BHO
|
Browser helper objects (BHO) are loaded automatically
each time Internet Explorer is started. BHOs may be manipulated
by malware to perform rogue functions, such as redirecting web traffic.
|
|
Modifies configuration files
|
System configuration files may be modified
by malware to perform rogue functions, such as redirecting web traffic
or automatically running at startup.
|
|
Name
|
Description
|
|---|---|
|
Causes document reader to crash
|
Many document files that contain exploits
are malformed or corrupted. Document readers may crash because of
a malformed file that contains a poorly implemented exploit.
|
|
Causes process to crash
|
Malware may crash a process to run shellcode.
This may also occur due to poorly constructed code or incompatibility
issues.
|
|
Fails to start
|
Malware may fail to execute because of poor construction.
|
|
Detected as known malware
|
The file is detected using an aggressive
pattern created for a specific malware variant.
|
|
Detected as probable malware
|
The file is detected using an aggressive
generic pattern.
|
|
Name
|
Description
|
|---|---|
|
Adds service
|
Services are often given high privileges
and configured to run at startup.
|
|
Attempt to use document exploit
|
A document or SWF file that contains an
exploit may pad memory with a sequence of no-operation (NOP) instructions
to ensure exploit success.
|
|
Contains exploit code in document
|
Documents or SWF files may contain exploits
that allow execution of arbitrary code on vulnerable systems. Such
exploits are detected using the Trend Micro document exploit detection
engine.
|
|
Creates mutex
|
Mutex objects are used in coordinating mutually exclusive
access to a shared resource. Because a unique name must be assigned
to each mutex, the creation of such objects serves as an effective identifier
of suspicious content.
|
|
Creates named pipe
|
Named pipes may be used by malware to enable communication
between components and with other malware.
|
|
Creates process
|
Creation of processes is considered suspicious because
this behavior is not commonly exhibited by legitimate applications.
|
|
Executes a copy of itself
|
Malware may execute a copy of itself to
stay running.
|
|
Injects memory with dropped files
|
Malware may inject a file into another process.
|
|
Resides in memory
|
Malware may inject itself into trusted processes
to stay in memory and to avoid detection.
|
|
Starts service
|
An existing service may be started by malware
to stay running or to gain more privileges.
|
|
Stops process
|
A process may be stopped by malware to prevent security
software and similar applications from running.
|
|
Uses heap spray to execute code
|
Malware may perform heap spraying when certain processes
are running. Allocation of multiple objects containing exploit code
in a heap increases the chances of launching a successful attack.
|
|
Name
|
Description
|
|---|---|
|
Attempts to hide file
|
Malware may attempt to hide a file to avoid detection.
|
|
Hides file
|
Malware may hide a file to avoid detection.
|
|
Hides registry
|
Malware may hide a registry key, possibly
using drivers, to avoid detection.
|
|
Hides service
|
Malware may hide a service, possibly using
drivers, to avoid detection.
|
|
Name
|
Description
|
|---|---|
|
Accesses highly suspicious host
|
Hosts that are classified as highly suspicious
by the Trend Micro Web Reputation Service (WRS) may be accessed
by malware.
|
|
Accesses highly suspicious URL
|
URLs that are classified as highly suspicious
by the Trend Micro Web Reputation Service (WRS) may be accessed
by malware.
|
|
Accesses known C&C host
|
Malware accesses known C&Cs to receive commands
and transmit data.
|
|
Accesses malicious host
|
Hosts that are classified as malicious by
the Trend Micro Web Reputation Service (WRS) may be accessed by
malware.
|
|
Accesses suspicious host
|
Hosts that are classified as suspicious
or unrated by the Trend Micro Web Reputation Service (WRS) may be
accessed by malware.
|
|
Accesses suspicious URL
|
URLs that are classified as suspicious or
unrated by the Trend Micro Web Reputation Service (WRS) may be accessed
by malware.
|
|
Creates raw socket
|
Malware may create a raw socket to connect
to a remote server. Establishing a connection allows malware to
check if the server is running, and then receive commands.
|
|
Establishes network connection
|
Network connections may allow malware to
receive and transmit commands and data.
|
|
Establishes uncommon connection
|
Uncommon connections, such as those using non-standard
ports, may indicate system intrusion and connections to a malicious
server.
|
|
Exhibits bot behavior
|
Compromised devices exhibit certain network behavior
when operating as part of a botnet.
|
|
Exhibits DDOS attack behavior
|
Malware exhibit certain network behavior
when participating in a distributed denial of service (DDoS) attack.
|
|
Listens on port
|
Malware may create sockets and listen on
ports to receive commands.
|
|
Opens IRC channel
|
Opening of an Internet Relay Chat (IRC)
channel may allow malware to send and receive commands.
|
|
Queries DNS server
|
Querying of uncommon top-level domains may indicate
system intrusion and connections to a malicious server.
|
|
Requests suspicious URL
|
URLs that are classified as suspicious by
the Trend Micro Web Reputation Service (WRS) may be requested by
malware.
|
|
Sends email
|
Sending of email may indicate a spam bot
or mass mailer.
|