Malware covers malicious programs which are specifically designed to delete, block, modify, or copy data or to disrupt the performance of computers and/or computer networks. This class includes viruses, worms, Trojans, and other programs used to automatically conduct malicious activity (hacking tools, constructors which can be used to create polymorphic code etc.).
Viruses and Worms
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate.
Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass.
The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.)
Any program within this subclass can have additional Trojan functions.
It should also be noted that many worms use more than one method in order to spread copies via networks. The rules for classifying detected objects with multiple functions should be used to classify these types of worms.
Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate.
Trojans are classified according to the type of action they perform on an infected computer.
Malicious programs are frequently compressed – or packed – using a variety of methods combined with file encryption in order to prevent reverse engineering of the program and to hinder analysis of program behaviour with proactive and heuristic methods. Antivirus programs detect the results of the actions of suspicious packers, i.e. packed items.
There are ways to prevent packed files from being unpacked: for example, the packer may not decipher the code fully, only to the extent that it is executed; or it may fully decrypt and launch a malicious program only on a certain day of the week.
Malicious tools are malicious programs designed to automatically create viruses, worms, or Trojans, conduct DoS attacks on remote servers, hack other computers, etc. Unlike viruses, worms, and Trojans, malware in this subclass does not present a direct threat to the computer it runs on, and the program’s malicious payload is only delivered on the direct order of the user.