When two major worms that exploited a critical vulnerability in the Windows Remote Procedure Call (RPC) vulnerability...
struck last month, administrators jumped into gear to protect their networks and systems.
Yet the actual name of the worms wasn't quite as uniform as the response from admins.
Some antivirus vendors called the first worm Lovsan, others called it MS Blast, others still called it simply Blaster. The second worm, which sought to remove the first but caused a host of other problems, was called Nachi and Welchia.
Now that the worms' progress has slowed and systems are patched, people can ask the question: Why do the antivirus companies use such different names for the worms?
McAfee Security, for example, called the first worm Lovsan, after a message written in the worm. The company didn't want to call it MS Blast or Blaster, which was the name of the executable downloaded by the worm, on the grounds that it might confuse users, said Vincent Gullotto, vice president of McAfee AVERT (Antivirus Emergency Response Team). "We wanted to keep away from using the file name, as some users may just filter for it and think they [would] be safe," he said.
Filtering wouldn't have done users much good, because Lovsan, or Blaster, is a network worm which spreads by scanning for port 135. If it's open, then the worm tries to exploit the RPC vulnerability. When the vulnerability is exploited, the worm then downloads an executable, msblast.exe, and sends the worm to other systems.
Lovsan/Blaster and Nachi/Welchia aren't the first worms to have differing names. In fact, antivirus companies are better than they used to be when naming malicious code. In the past, it wasn't unusual for a single piece of malware to have 10 names. Now, generally, there are two or three monikers that vendors agree on. (Also, the antivirus companies feature the names used by other vendors as aliases in their alerts.)
Companies may want standardized names for viruses and worms, but they probably aren't willing to pay the price for such continuity, said David Perry, Trend Micro Inc.'s global director of education. "What if the detection comes out one minute later [while antivirus companies] square the names? Never mind; it will take 15 or 20 minutes, at least," he said.
For Perry and other antivirus researchers, getting the protection out for a worm or virus is paramount. Making sure they use the same name as their competitors is a much lower concern. At times, antivirus companies have only minutes to name a worm.
Such arguments don't hold water with Robert Vibert, administrator of the Anti-Virus Information Exchange Network and an advocate for standardized names for viruses and worms. "Definitely, concentrate on detection on day 1, but then they should concentrate on the name on day 2," he said.
Vibert can see why it wouldn't be feasible for antivirus companies to work on a common name during the deadline pressure of getting detection files out. But once protection is available, the companies could then make sure their names are the same.
Perry points out that it is difficult for antivirus companies to change the names of worms, because the monikers are encoded in the pattern files. "As long as it's working, [detecting the worm, that is], we do not want to change it," he said.
Vibert suggests using a numbering system, rather than an actual name, when first releasing the pattern file. The naming issue is becoming a concern for companies because many use products from multiple antivirus software vendors. Companies then have to do the work of figuring out whether one set of scanners will find Nachi and another will catch Welchia. "The antivirus companies are offloading the work [ they should be doing] to users," Vibert said.
FOR MORE INFORMATION: