Many virus watchers still cringe when the topic of the Melissa virus is brought up, not only because of its damaging...
payload, but also because its name doesn't fit with accepted virus-naming practices.
Dubbing the malicious code "Melissa," after a Miami stripper, flies in the face of many naming conventions that antivirus companies follow today. For example, using the name provided by the virus writer is avoided at all costs to avoid bestowing credibility upon the author. Also, the use of proper names is a no-no.
Though Melissa doesn't conform to set rules, at least most of the antivirus companies have agreed to use the same name for that particular virus. Virus naming isn't an exact science, and there are times when antivirus companies use different names for the same piece of malicious code.
"This can be a big cause of confusion for end users," said Mikko Hypponen, F-Secure's manager of antivirus research in Helsinki, Finland.
Just recently, there has been some confusion over the names of some major viruses. For example, most antivirus companies dubbed one recent mass-mailing worm Bugbear, but antivirus vendor Kaspersky called it Tanatos. Most advisories from other antivirus vendors include both names.
Outright name differences are uncommon. Minor spelling variations are more likely. For example, a recent worm was called "Bridex" by some and "Brid" by others, but most settled on "Braid."
While there are still some variations in the names of viruses and worms, it's much better than it used to be. Ten years ago, a virus might have had 25 or 30 different names, said David Perry, global director of education for Trend Micro, a Tokyo-based antivirus software vendor.
Antivirus vendors follow a certain syntax. The first part of the name is a prefix that describes the platform the worm or virus attacks. For example, the Linux.Scapler.Worm affects Linux machines. W32/ElKern-C, on the other hand, affects 32-bit Windows machines. The second part of the name is the family name. In these examples, Scapler and Elkern are the family names. Some vendors include a suffix such as "Worm" to denote that the specimen is worm. Others, such as Trend Micro, use WORM as a prefix, as in WORM_KLEZ.H.
The final part of virus names is the variant. Most companies use an alphabet system. So W32/Elkern-C is the third variant a specific vendor has found. How companies name variants differs from vendor to vendor.
The family name usually becomes the shorthand used for a virus. So WORM_KLEZ.H becomes "Klez." This is also the area where virus researchers have some leeway. For example, Sophos called a Macro virus OF97/Crown-A, said Chris Wraight, technology consultant at the antivirus software company. Other antivirus vendors had called it OF97/Tristate-C. The virus was a triple infector, meaning it attacked Microsoft Word, Excel and PowerPoint files. The U.K.-based researcher who had named it for Sophos had just watched rugby's Triple Crown.
There is nothing unusual about what the Sophos researcher did. Generally, naming a worm is the right of the first antivirus company that finds it. In many cases there isn't a readily apparent name for a virus or worm. Researchers try to find a word or other identifier in the code that would be apparent to others. Yet they never name the virus after what the author called it.
"We don't want to give any credibility to the virus writer," Perry said. In most cases, viruses are not new creations but contain code from other viruses. "We have an image of this romantic, underground character, when the truth is most aren't skilled at all," he said.
Virus researchers also try to avoid using proper names, brand names and geographic locations for viruses. These were used in the past, hence the Melissa virus and the Jerusalem virus. Sometimes the international nature of viruses can cause problems with names. The Sampo virus came out of the Philippines but it shared a name with a Finnish financial services company. "It was pretty embarrassing for the company, as the virus was pretty widespread here," Hypponen said.
Perhaps the most vexing part of virus names are the variants. For example, in September, two variants of the Slapper worm appeared in quick succession. Antivirus companies differed over which to call Slapper.B and which to call Slapper.C.
In April, a particularly pesky variant of the Klez worm surfaced. Most vendors called it Klez.H, but at least one called it Klez.I. There are some variations from company to company on when to declare that a sample is a new variant of an existing virus. Some companies wait until they need to release a new signature file. Others wait until a variant really starts to spread. In most cases, it only takes a slight change in the virus before it gets a new variant name.
Naming a new variation also allows antivirus vendors to track the spread of a virus better, said Vincent Gullotto, vice president of McAfee AVERT. Often antivirus software protects against a variant before it's named.
Antivirus companies do keep tabs on the other names companies are using for variants, often including other companies' names in their advisories. While the vendors fiercely compete for business, they do cooperate on certain levels. For example, samples of viruses are exchanged all the time. "Our researchers talk with researchers from other antivirus companies on a daily basis," Gullotto said.