ReversingLabs malware naming standard

The ReversingLabs detection string consists of three main parts separated by dots. All parts of the string will always appear (all three parts are mandatory).

platform-subplatform.type.familyname

The first part of the string indicates the platform targeted by the malware. If the platform is ByteCode, Document or Script, then there will be an additional subplatform string. Platform and subplatform strings are separated by a hyphen ( - ).
The second part of the detection string describes the malware type.
The third part represents the malware family name. This string is one of most common names for that malware.

Example

If backdoor malware is a PHP script with the family name "Jones", the detection string will look like this:

Script-PHP.Backdoor.Jones

Supported Detection String Elements

Click to expand:

Platforms (non-exhaustive)

ABAP
AOL
Android
Archive
Audio
Binary
Blackberry
Boot
ByteCode
Console
DOS
Document
EPOC
Email
Firmware
FreeBSD
Image
Linux
MacOS
Menuet
Novell
OS2
Package
Palm
Script
Shortcut
Solaris
SunOS
Symbian
Text
Unix
Video
WebAssembly
Win32
Win64
WinCE
iOS

Subplatforms (non-exhaustive)

7ZIP
ACE
ANI
ARJ
ASP
Access
ActiveX
AutoIt
AutoLISP
BAT
BMP
BZIP2
CAB
CGI
CHM
Cookie
CorelDraw
DEB,EMF
EPS
Excel
Ferite
GIF
GZIP
HTML
INF
INI
IRC
ISO
JAR
JAVA
JPEG
JS
LZH
Logo
Lua,
MIME
MSG
MSIL
Macro
Matlab
Multimedia
OLE
OTF
Office
PDF
PHP
PNG
Perl
PowerPoint
PowerShell
Project
Publisher
Python
RAR
RPM
RTF
Registry
Ruby
SQL
SWF
Shell
TAR
TIFF
TTF
VBS
Visio
WMF
WScript
WinHelp
Word
XML
ZIP

Malware Types (non-exhaustive)

Adware
Any
Backdoor
Browser
Certificate
Coinminer
Dialer
Downloader
Dropper
Exploit
Format
Hacktool
Heuristic
Hyperlink
Infostealer
Keylogger
Mail
Malware
Network
Packed
Phishing
PUA
Ransomware
Rogue
Rootkit
Spam
Spyware
Trojan
Virus
Worm

Example​

Supported Detection String Elements​

Example

Supported Detection String Elements