Individual malware often performs multiple malicious functions and uses multiple distribution methods; without some additional classification rules, this could lead to confusion.

For example. There is a malicious program that collects email addresses on an infected computer without the user’s knowledge. At the same time, it is distributed both in the form of e-mail attachments and in the form of files via P2P networks.

Then the program can be classified both as an Email-Worm, and as a P2P-Worm or Trojan-Mailfinder. To avoid such confusion, Kaspersky Lab applies a set of rules that allow unambiguously classifying malware by specific behavior, regardless of secondary properties.

The “Classification Tree” diagram shows that each behavior is assigned its own level of danger.

In the “classification tree”, the behaviors that pose a greater danger are located above those that pose a lesser danger

And since in our example the behavior of the Email-Worm represents a higher level of danger than the behavior of the P2P-Worm or Trojan-Mailfinder, the malware from our example can be classified as an Email-Worm.