Wednesday, August 22, 2007

How to Read Virus Names

Antivirus vendors generally assign virus names consisting of a prefix, the name, and a suffix. Not all vendors follow this convention, however, and even those who do may sometimes use different designators. When attempting to find information about a particular virus, it can be helpful to understand how the names are formed.

The prefix
The prefix (when used) identifies the type of virus or malware it is. W32 or Win32, for example, denote that it is a Windows 32-bit infector and thus impacts Windows 95, 98, 2000, 2003, XP, Me, NT 4.0. Those that impact only Windows 95/98 often have prefixes of W95. Other vendors apply prefixes that are more indicative of the type of threat, rather than the platform it infects. For example, a TROJ prefix implies the file is a Trojan Horse, an I-Worm prefix indicates it is an Internet/email worm, and OM signifies that it is a Microsoft Office macro virus.
W97M, WM, X2KM are other examples of macro virus prefixes that denote both the fact that it is a macro virus and provides clues as to what versions of Office (or products within Office) are impacted. The prefix is usually separated from the name by an underscore, a period, or a slash.

The name
Following the prefix is the actual name of the malware. For example, W32/Bagle has a prefix of W32 and the worm itself is dubbed Bagle.

The suffix
Many viruses belong to the same family but are slightly different. To differentiate between these variants, antivirus vendors assign an alphabetical suffix. The original virus (or worm, Trojan, etc.) generally does not have a suffix assigned until after further variants of the same threat are discovered. For example, W32/Bagle became W32/Bagle.A after the 'B' variant was discovered. Subsequent variants are assigned descending letters of the alphabet, i.e. Bagle.A, Bagle.B, Bagle.C through to Bagle.Z. When the end of the alphabet has been reached, the count starts over. This will repeat as many times as necessary. As of October 2004, the prolific Gaobot variants had reached W32/Gaobot.BOW.

The modifier
Some vendors also add a modifier after the suffix that further describes what type of malware it is. For example, @mm signifies a mass-mailing email worm and @dl is used by some to designate a downloader. Using the above information, we can quickly see that W32/Bagle.BB@mm is a Bagle variant that is a mass-mailing email worm impacting Windows 32-bit systems.


Post a Comment

<< Home