Article

The virus name game

Edward Hurley, News Writer

Many virus watchers still cringe when the topic of the Melissa virus is brought up, not only because of its damaging payload, but also because its name doesn't fit with accepted virus-naming practices.

A CALL FOR A VIRUS-NAMING BODY
The practice of allowing antivirus research firms and vendors to have first dibs on naming viruses and worms doesn't fly with some security experts.

Some would like to see an independent body handle the naming of viruses and worms.

"It is time for vendors to stop playing political games and just agree on an independent body to issue names," said Robert Vibert, moderator of the AntiVirus Information Exchange Network. "Customers have complained constantly over the years, and yet vendors still claim that it is too hard to standardize."

The technical issues facing standardization are not insurmountable, Vibert said. All it would really take is accepting the names of viruses coming from a third party, he said.

On the other hand, the vendors could say that an independent naming body would be too slow. Naming a virus quickly is imperative

    Requires Free Membership to View

because it's the first step in protecting their customers from the malicious code.
Feedback on this story? Send your comments to News Writer Edward Hurley
VIRUS-NAMING CONVENTIONS
Generally, the prefix of a virus identifies the platform it targets. Here is a list of what some common prefixes and what they mean:
BAT - Batch file threats
Backdoor - Threats allowing unauthorized access to computers on the Internet
IRC - Threats that spread via IRC (Internet Relay Chat)
JS - Attacks written in JavaScript
Java - Attacks written in Java
Linux - Attacks that target Linux-based systems
OM - Office macro viruses
PWSTEAL - Password-stealing Trojan horses
Palm - Attacks that target Palm-based devices
Trojan/Troj - Trojan horses
Unix - Attacks that target Unix-based systems
VBS - Viruses written in Visual Basic Script
W32 - Viruses that target all 32-bit versions of Windows

Dubbing the malicious code "Melissa," after a Miami stripper, flies in the face of many naming conventions that antivirus companies follow today. For example, using the name provided by the virus writer is avoided at all costs to avoid bestowing credibility upon the author. Also, the use of proper names is a no-no.

Though Melissa doesn't conform to set rules, at least most of the antivirus companies have agreed to use the same name for that particular virus. Virus naming isn't an exact science, and there are times when antivirus companies use different names for the same piece of malicious code.

"This can be a big cause of confusion for end users," said Mikko Hypponen, F-Secure's manager of antivirus research in Helsinki, Finland.

Just recently, there has been some confusion over the names of some major viruses. For example, most antivirus companies dubbed one recent mass-mailing worm Bugbear, but antivirus vendor Kaspersky called it Tanatos. Most advisories from other antivirus vendors include both names.

Outright name differences are uncommon. Minor spelling variations are more likely. For example, a recent worm was called "Bridex" by some and "Brid" by others, but most settled on "Braid."

While there are still some variations in the names of viruses and worms, it's much better than it used to be. Ten years ago, a virus might have had 25 or 30 different names, said David Perry, global director of education for Trend Micro, a Tokyo-based antivirus software vendor.

Antivirus vendors follow a certain syntax. The first part of the name is a prefix that describes the platform the worm or virus attacks. For example, the Linux.Scapler.Worm affects Linux machines. W32/ElKern-C, on the other hand, affects 32-bit Windows machines. The second part of the name is the family name. In these examples, Scapler and Elkern are the family names. Some vendors include a suffix such as "Worm" to denote that the specimen is worm. Others, such as Trend Micro, use WORM as a prefix, as in WORM_KLEZ.H.

The final part of virus names is the variant. Most companies use an alphabet system. So W32/Elkern-C is the third variant a specific vendor has found. How companies name variants differs from vendor to vendor.

The family name usually becomes the shorthand used for a virus. So WORM_KLEZ.H becomes "Klez." This is also the area where virus researchers have some leeway. For example, Sophos called a Macro virus OF97/Crown-A, said Chris Wraight, technology consultant at the antivirus software company. Other antivirus vendors had called it OF97/Tristate-C. The virus was a triple infector, meaning it attacked Microsoft Word, Excel and PowerPoint files. The U.K.-based researcher who had named it for Sophos had just watched rugby's Triple Crown.

There is nothing unusual about what the Sophos researcher did. Generally, naming a worm is the right of the first antivirus company that finds it. In many cases there isn't a readily apparent name for a virus or worm. Researchers try to find a word or other identifier in the code that would be apparent to others. Yet they never name the virus after what the author called it.

"We don't want to give any credibility to the virus writer," Perry said. In most cases, viruses are not new creations but contain code from other viruses. "We have an image of this romantic, underground character, when the truth is most aren't skilled at all," he said.

Virus researchers also try to avoid using proper names, brand names and geographic locations for viruses. These were used in the past, hence the Melissa virus and the Jerusalem virus. Sometimes the international nature of viruses can cause problems with names. The Sampo virus came out of the Philippines but it shared a name with a Finnish financial services company. "It was pretty embarrassing for the company, as the virus was pretty widespread here," Hypponen said.

Perhaps the most vexing part of virus names are the variants. For example, in September, two variants of the Slapper worm appeared in quick succession. Antivirus companies differed over which to call Slapper.B and which to call Slapper.C.

In April, a particularly pesky variant of the Klez worm surfaced. Most vendors called it Klez.H, but at least one called it Klez.I. There are some variations from company to company on when to declare that a sample is a new variant of an existing virus. Some companies wait until they need to release a new signature file. Others wait until a variant really starts to spread. In most cases, it only takes a slight change in the virus before it gets a new variant name.

Naming a new variation also allows antivirus vendors to track the spread of a virus better, said Vincent Gullotto, vice president of McAfee AVERT. Often antivirus software protects against a variant before it's named.

Antivirus companies do keep tabs on the other names companies are using for variants, often including other companies' names in their advisories. While the vendors fiercely compete for business, they do cooperate on certain levels. For example, samples of viruses are exchanged all the time. "Our researchers talk with researchers from other antivirus companies on a daily basis," Gullotto said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: