Jump to content

[Question] List of Malwarebytes definition names?

Recommended Posts

Hi Helpers :)


I was wondering if there was a public list of definition/threat names for Malwarebytes, where it would explain (well, summarize) every definition/name it have? I'm asking this, because I would like to know more about certain definitions, mainly the generic ones like Hijack.Shell.Gen (and if you could lighten me on what this one is exactly, except the fact that it hijacks the Windows Explorer shell, it would be appreciated).

Thank you :)

Link to post
Share on other sites

Thank you 1PW for the list (and Firefox for the reply!). Is it possible to explain me, for Malwarebytes only, what is the "Hijack.Shell.Gen" detection? This detection came up in a discussion I was having, and when you Google it, it looks like this detection is associated with web browser-based infections, althought I doubt it's specifically for them, and I would just like some clarification on it (if possible).

Link to post
Share on other sites

It is hard to reach into the mind of the Malware Researcher and know specifically.  We can deduce it is a Generic Hijack but the term "shell" can mean many things.  At the core it may mean the "shell" of the OS which is Windows Explorer.


It could be something like the following where a malware executable is chained to load from Explorer when the OS Loads the OS Shell and is thus hijacking it.

{ NOTE: this is just a guess and may NOT be the reason why this name was used }


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell = Explorer.exe  malwarename.exe
Sometimes the anti malware vendor will use standard notation and other times not.  How malware gets a name can be a personal choice.  Take the Koobface worm.  That is a deliberate rename of Facebook.  Take the nimda and that is the reversal of admin.
One problem that has crept up over and over is that you can have 20 different vendors call the same infector almost twenty different names.  Some have called the Blaster worm the Lovsan worm and that is why I always call it the Lovsan/Blaster worm.
Because of the confusion that created, MITRE was tasked to come up with a database that would tie together the variations of names of a specific malware when different vendors had given it different names.  The database was created such that they can be cross referenced.  That was called the "Common Malware Enumeration" (CME).  However that was just too difficult to maintain and lost favour and funding.
For example take the Sober worm.  MITRE assigned CME-157 to it and in theory a vendor would append !CME-157 to their name.  Example : Win32/Sober.V@mm!CME-157
Let's look at the name;  Win32/Sober.V@mm!CME-157
Win32 -- Windows 32bit
Sober -- Family group
.V -- V variant ( as in .a, .b, .c, .d ... .x, .y, .z  variantsAfter '.z' it would be;  .aa, .ab, .ac, .ad, et al.  )
@mm -- Mass Mailer
!CME-157 -- Common Malware Enumeration number 157


Even something as simple as when it is a 32 bit or 64 bit infector can vary from vendor to vendor.  Some will prepend "Win32." to the name and another vendor will prepend "Win32/" so one vendor can be "Win32.Sober" and another vendor will be "Win32/Sober" and then again another vendor may use "W32/Sober" or "W32.Sober".


There still is a lot of "convention" in naming but it lends to a lot of variations.  Researchers often name the malware based upon stings found in the binary. 



Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.