Hungry Man

New Member
Backdoor related behavior
Spyware related behavior
HiJacker related behavior
Worm related behavior
Dialer related behavior
Keylogger related behavior
Trojan Downloader related behavior
Injection of code into other programs
Manipulation of programs (patching)
Invisible installations of software
Invisible Rootkit processes
Installation of services and drivers
Creation of Autostart entries
Manipulation of the Hosts file
Changes of the browser settings
Installation of debuggers on the system
Simulated mouse and keyboard activity
Direct disk sector access on harddisk
Changes of the system group policies

These are Mamutu's categories of suspicious/malicious behaviors. I know what some are ie: Creation of autostart entries writes to the autostart area in the registry etc but a lot of them are vague.

Anyone know what each one does? Either specifically or in a broad sense.


Level 1
I'm not going to break down everyone of these, but you should stick with emsisoft anti-malware instead of mamutu.

Here is emsisoft comparision (click the blue underline for some of the definitions of what they do)

Or you can take advantage of Jack's contest for a free mamutu license here:

But if you can spare the $20 I would go with this jack's deal instead:

Hungry Man

New Member
I've got a Mamutu and Emsisoft license. I'm less interested in using the programs and more interested in understanding them.

I can't find an explanation on their site for some of these.


Level 1
What is Heuristic Scanning?

Hungry Man

New Member
Good article but not exactly what I wanted - I'm looking specifically to find out what each of those behaviors is.


Level 2
Apologies if you've already seen these articles on rootkits, trojans, spyware, dialers, worms, etc.

Emsisoft Knowledge Base

Comodo Leak Test Suite has a broad description of the suspicious behaviors you can most probably use for cross-reference to some extent.

A screenshot of the Leak Test Descirptions

P.S. I remembered seeing this a few days ago:
Emsisoft on Facebook said:
Are there any topics you would like to read an article from us about? We are always looking for cool new content for our knowledge base. It can be either security or computer related.


Retired Staff
One thing you need to take into consideration:

Each vendor has their own description of a malware category.

The same exact malware maybe labeled differently by each vendor, I have seen this many times.

For example what Emsisoft labels a Backdoor, might be labeled as a Trojan or Worm by other vendors.
Most rogueware as usually mislabeled as Trojans by most vendors because they have some of the same characteristics but are not the same.

Sometimes one vendor will labeled a malware as a virus, whereas other vendors might label the exact same malware as spyware, worm, adware, rogueware or Trojan.

Another thing some vendors have different definitions of each category of malware.
They all don't completely agree. So sometimes it is hard to find a correct answer to each category of malware suppose to do and why each malware is labeled into a select category.



Level 2
The reason I put the CLT descriptions was mostly as a reference for activities like installing drivers and services, debuggers and process injections - these aren't described at length in Emsisoft's articles.