All objects detected by Kaspersky antivirus products are named according to the following system:
The prefix identifies the sub-system which detected the object. The prefix “HEUR:” is used to denote objects detected by the heuristic analyzer, and the prefix “PDM:” is used to denote objects detected by the proactive defense module.
The prefix is not an obligatory part of the full name and may not be present.
The behaviour specifies what the detected object does. For Viruses and Worms, the behaviour is chosen according to the propagation method used. For Trojans and Malicious Tools, the behaviour is chosen according to the type of malicious payload. For Suspicious Packers, the behaviour is chosen according to the way the packers acts. For Adware, Riskware and Pornware, the behaviour is chosen according to the function of the detected object.
The platform is the environment in which the program code is executed. This can refer to both software and hardware.
For detected objects that can run on more than one platform, the platform is defined as “Multi.” Virus.Multi.Etapux is one example of a multi-platform malicious program. This program infects executable files for both the Windows and Linux operating systems.
At the time of writing, there are two platforms that support the heuristic analyzer: Win32 and Script (a generalized platform for a variety of scripts). There is one platform for the proactive defense module: Win32.
The name is the official name given to the detected object, which defines the family of detected objects.
The term family is used to mean a group of detected objects that share the same origin (author, source code), operating principles, or payload. For example, malicious programs in the Trojan.Win32.StartPage family change the start page of the Internet browser.
A variant is a modification of a detected object. The variant may be indicated by a numeral or a letter, starting from ‘.a’: ‘.a’ – ‘.z’, ‘.aa’ – ‘.zz’ and so on.
The variant is not a mandatory part of the full name and may not be present.