Heuristic Virus

Heuristic Virus - What is it?
Heuristic Virus - What is it?

A heuristic virus is a term for malicious programs detected by heuristic analysis. This method flags potential threats by looking for abnormal activities, such as unusual network connections, file modifications, and process behavior. While heuristic detection can identify previously unknown malware, it is prone to false positives.

What is Heuristic Virus?

A heuristic virus is a term that users commonly apply to malicious programs detected by heuristic detection systems. Antivirus software uses heuristic analysis to detect new, previously unknown viruses or variants of known viruses that have not yet been added to virus definition databases.

Heuristic threat detection screenshot
Heuristic threat detection

The heuristic analysis tracks the following factors: abnormal network activity, unusual connections to external servers, unusual modifications, or file creation. It also includes suspicious process behavior, startup, shutdown, interaction, such as attempts to hide activity or disable security software and requests for privilege escalation.

What is Heuristic Detection?

Heuristic detection is an adaptive antivirus protection system that detects malicious activity using educated guesses. Typically, heuristics are used in antivirus software along with scanning solutions to find malicious code on a computer. However, unlike the traditional method, which uses databases of known malware, heuristic analysis can detect potential viruses without explicitly identifying them. In other words, heuristic analysis is guessing, unlike signature analysis, which is based on knowledge.

The main goal of such engines is to detect next-generation malware that is not yet known by grouping and evaluating threats/risks in individual code fragments according to predefined criteria. This is similar to when trying to determine if someone is a criminal. They either match the image of a known criminal (signature) or exhibit characteristics of criminals (heuristics).

This process is flexible and is constantly being refined as threats are detected. The longer it runs, the more effective it becomes. Unfortunately, heuristic analysis is labor intensive, often resulting in false positives that must be manually verified. Since the need for “manual” intervention dramatically slows down the analysis process, antivirus companies have started using automation and machine learning. This has significantly optimized the processes of detecting malware that previously could not be detected using traditional methods, but it is still imperfect.

Heuristic analysis is based on several methods. These methods examine the source code of files and match it with previously detected threats. Depending on the proportion of the match, the system determines the likelihood of the threat.

How Does It Works?

Heuristic analysis uses some techniques to analyze threat behavior and threat level, including dynamic scanning, file analysis, and multi-criteria analysis (MCA). Let’s examine them more closely.

Dynamic Scanning

Dynamic scanning is the process of analyzing the behavior of a file in a simulated environment, often referred to as a “sandbox”. A program is executed and observed in an isolated environment to understand how it behaves in this environment. However, this method has a second side of the coin. Most modern malware has anti-analysis and evasion features. As a result, when a virtual environment is detected, the malware stops its activity, which is also a red flag.

Malware evades detection image
Malware evades detection

File Analysis

File analysis is the process of examining the contents of a file to determine its purpose, direction and intent. This method may involve inspecting the file’s code structure, libraries, functions, and instructions. For example, a file may attempt to install hidden services, make changes to system settings, or create a new user. It also includes comparing how similar the file’s code is to known malware samples.

Multicriteria analysis

Multicriteria analysis (MCA) is a technique that uses different criteria to evaluate a potential threat. This helps to more accurately determine the threat level posed by a suspicious file or program. Data about the suspicious object is sampled in this case, including dynamic and file analysis results, network activity, interaction with other systems, and more. Each criterion (e.g., changes to system files, network connections, use of hidden processes) is evaluated and weighted. Based on the combined score of all requirements, a conclusion is made about how dangerous the file is. As a result, the file is marked as malicious if the total score exceeds a certain threshold.

Detection Examples

Let’s look at one of the examples to understand how it works. This is Trojan:Win32/Acll, a stealer that I recently reviewed. I will now show you how it was detected. This malware is written in Python, so traditional detection methods can be complex. The above techniques are used to determine whether it is a threat. For example, this malware performs the following actions, which are triggers:

schtasks /create /f /RU "%USERNAME%" /tr "%ProgramData%\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
C:\Windows\System32\wuapihost.exe -Embedding

In brief, this command allows the instance to be started every hour with the highest privileges and to load third-party applications. The next red flag is that the instance collects data from the following folders:

C:\Program Files\Common Files\SSL\cert.pem
C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
C:\Users\\AppData\Local\Google\Chrome\User Data\
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\

This is a typical behavior of info stealers that allows antivirus engines to identify the threat.

Heuristic virus examples

Usually, threats detected by heuristics are easily recognizable. They either contain a straightforward notification that it comes from the heuristic system, have hard-to-read names or the prefix “!ML” at the end. Usually, such detections look like:

Trojan:Script/Wacatac.B!ml Wacatac.B!ml is most oftenly a type of spyware or stealer malware. The behavior pattern specific for this detection is extended persistence and networking, that potentially allows the malware to deploy other malicious programs.
IDP:Generic This detection stands for “Identity Protection” and “Generic”, indicating non-specific detection. Antivirus software uses it to identify potentially harmful files or activities that don’t fit into a specific category of known malware.
Malware.Win32.Heur.cc This is a perfect example of a truly generic detection name, that can stand for literally any malicious program.
Trojan:Win32/Acll This detection is about the combination of behavior and the programming language of the program. More specifically, it flags Python-based spyware.
VirTool:Win32/DefenderTamperingRestore Microsoft Defender uses this detection name to flag software or code that blocks the operations of Microsoft Defender.

All these detections belong to different malware types, although are the result of heuristic systems of different antiviruses. They may also be assisted by the AI detection systems that operate in a manner similar to heuristics.

AI And Heuristic Detection In Antimalware

As I mentioned earlier, heuristic analysis is based on sets of rules and patterns. This wealth of information can improve the recognition of previously unknown patterns. However, advances in AI have allowed antivirus companies to improve threat detection significantly. Today, we are seeing more and more malware detections with the signature “ml”, which stands for machine learning.

This is because AI filters notice things that humans could not before. Although “ml” detections still contain false positives, the percentage of false positives has significantly been reduced to date. So, most advanced antivirus companies try incorporating AI into their products, which is a pretty good trend.

How to remove heuristic virus?

To remove heuristic malware, you need to use an advanced anti-malware solution. I recommend GridinSoft Anti-Malware because it has a heuristic module and uses AI to detect malware. In addition, you can use it with Windows Defender, so there is no need to disable the built-in Windows defenses.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *