Re: McAfee's Naming Convention of Computer Viruses, Worms and Trojans
From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: 12/19/03
- Next message: deke: "Re: agobot; spybot"
- Previous message: David H. Lipman: "Re: agobot; spybot"
- In reply to: David H. Lipman: "McAfee's Naming Convention of Computer Viruses, Worms and Trojans"
- Next in thread: David H. Lipman: "Re: McAfee's Naming Convention of Computer Viruses, Worms and Trojans"
- Reply: David H. Lipman: "Re: McAfee's Naming Convention of Computer Viruses, Worms and Trojans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Dec 2003 13:33:52 -0500
Thanks - that is very useful. And, there is some standardization--CARO.
CARO doesn't seem to be published on the web that I can spot.
Here's Symantec's description of the naming issue:
http://securityresponse.symantec.com/avcenter/reference/virus.and.vulnerability.pdf
The most current formulation of the CARO conventions seems to be the Nick
Fitzgerald article on page 7 of this Virus Bulletin:
http://www.virusbtn.com/magazine/archives/pdf/2003/200301.pdf
Here's an article in about the same time frame complaining about the naming
issue:
http://reviews-zdnet.com.com/4520-7297_16-4207801.html
This is not a simple issue apparently. It still appears to me that there is
some politics issue here--and that there needs to be a dual standard--a
proper "scientific name" for each critter, and a generic "common name" for
use in giving information to users when something is detected.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OW7p9lcxDHA.556@TK2MSFTNGP11.phx.gbl...
> The following information is from NAI/McAfee and is posted for reference
only and they own
> the rights to this information.
>
> Dave
> ~ ~ ~ ~ ~ ~ ~ ~
> UNDERSTANDING VIRUS NAMES
>
> Our anti-virus software typically follows
> industry-wide naming conventions to identify
> the viruses that it detects and cleans.
> Occasionally, some virus names deviate from
> strict industry standards.
>
> The first virus with a given set of
> characteristics that mark it as a distinctly
> new entity receives a "family" name. Virus
> researchers draw the family name from some
> identifying quirk or notation in the virus,
> such as a text string, or a payload effect.
>
> A family name can also include a numeric string
> that designates the byte size of the virus.
> Researchers use this name as convenient
> shorthand to distinguish closely allied virus
> variants.
>
> Names for variants within a virus family
> consist of the family name and a suffix -
> BadVirus.a, for example. The suffix continues
> in alphabetical order until it reaches z. Then
> it begins again with aa and continues to az.
> Still later variants receive the suffix ba
> through bz, and so forth, until the suffix
> reaches zz. If yet another variant appears
> after that, it will have the suffix aaa.
>
> As new virus strains appeared, industry naming
> conventions evolved to include more
> information. Some names, for instance, include
> parts that identify the platform on which the
> virus can run.
>
> Among anti-virus vendors, virus names can
> include a prefix, an infix and a suffix.
>
>
> PREFIX
>
> The prefix designates the type of file that the
> virus infects or the platform on which
> potentially harmful software can run. Viruses
> that infect DOS executables do not receive a
> prefix. Our naming convention includes the
> following prefixes:
>
> A97M/ Macro virus that infects Microsoft
> Access 97 files.
>
> APM/ Macro virus or Trojan-horse program
> that infects Ami Pro document and
> template files.
>
> Bat/ Batch-file virus or Trojan-horse
> program. These viruses usually run
> as batch or script files that
> affect a particular program that
> interprets the script or batch
> commands they include. They are
> very portable and can affect nearly
> any platform that can run batch or
> script files. The files themselves
> often have a BAT extension.
>
> CSC/ Corel Script virus or Trojan-horse
> program that infects Corel Draw
> document files, template files, and
> scripts.
>
> IRC/ Internet Relay Chat script virus.
> This virus type can use early
> versions of the mIRC client
> software to distribute a virus or
> payload.
>
> JS/ Script virus or Trojan-horse
> program written in JavaScript
> language.
>
> JV/ Potentially harmful Java
> application or applet.
>
> Linux/ Virus or Trojan-horse program
> compiled for Linux OS in ELF file
> format.
>
> LWP/ Potentially harmful software for
> Lotus WordPro.
>
> MacHC/ Virus or Trojan-horse program for
> Apple Macintosh HyperCard scripting
> language.
>
> MacOS/ Virus or Trojan-horse program for
> Apple Macintosh OS Versions 6-9.
>
> MSIL/ Application written using Microsoft
> Intermediate Language framework,
> also known as .NET.
>
> P98M/ Macro virus or Trojan-horse program
> that infects Microsoft Project
> documents and templates.
>
> PalmOS/ Virus or Trojan-horse program for a
> Palm Pilot.
>
> PDF/ File-infector of Adobe PDF files.
>
> Perl/ Script virus or Trojan-horse
> program written in Perl language.
>
> PHP/ Script virus or Trojan-horse
> program written in PHP language.
>
> PP97M/ Macro virus. Infects Microsoft
> PowerPoint 97 files.
>
> SunOS/ Potentially harmful software for
> Sun Solaris.
>
> SWF/ Potentially harmful software for
> Shockwave.
>
> Unix/ Program or a shell script for a
> version of UNIX.
>
> V5M/ Macro or script virus, or
> Trojan-horse program that infects
> Visio VBA (Visual Basic for
> Applications) macros or scripts.
>
> VBS/ Script virus or Trojan-horse
> program written in Visual Basic
> Script language.
>
> W16/ File-infector virus that runs in
> 16-bit Microsoft Windows
> environments (Windows 3.1x).
>
> W2K/ Potentially harmful software for
> 32-bit Microsoft Windows
> environments, specifically Windows
> NT, 2000 or XP.
>
> W32/ File-infector or boot-sector virus
> that runs in 32-bit Microsoft
> Windows environments (Windows 95,
> Windows 98 or Windows NT).
>
> W95/ File-infector virus that runs in
> Microsoft Windows 95, Windows 98
> and Windows ME environments.
>
> W97M/ Macro virus that infects Microsoft
> Word 97 files.
>
> WHLP/ Potentially harmful software for
> 32-bit Microsoft Windows
> environments that targets Windows
> HLP files.
>
> WM/ Macro virus that infects Microsoft
> Word 95 files.
>
> X97M/ Macro virus that infects Microsoft
> Excel 97 files.
>
> XF/ Macro virus that infects Microsoft
> Excel 95 or 97 via Excel formulas.
>
> XM/ Macro virus that infects Microsoft
> Excel 95 files.
>
>
> PREFIX FOR TROJAN-HORSE CLASSES
>
> A name such as "BackDoor-" denotes potentially
> harmful software that belongs to a class of
> similar Trojan-horse programs. The class name
> is followed by extra characters to denote a
> family (such as BackDoor-JZ) or a name (such as
> BackDoor-Sub7).
>
> AdClicker-
> Repeatedly accesses web sites that
> are funded by advertising.
>
> Adware- Installs advertising software but
> does not ask permission.
>
> BackDoor-
> Provides remote access or control
> through the Internet or network.
>
> Dialer- Dials a phone number without asking
> for permission.
>
> DDoS- Operates as a Distributed Denial of
> Service component.
>
> Del- Deletes files.
>
> Downloader-
> Downloads software from the
> Internet, usually to deliver
> backdoors, password stealers, and
> sometimes viruses.
>
> Exploit- Uses a vulnerability or a software
> defect.
>
> FDoS- Denotes a Flooding Denial of
> Service component.
>
> KeyLog- Logs keystrokes for immediate or
> future transmission to the
> attacker.
>
> Kit- Denotes a program designed for
> creating a virus or Trojan-horse
> program.
>
> MultiDropper-
> Drops several Trojan-horse program
> or viruses (often several different
> 'backdoors').
>
> Nuke- Uses defects in software on a
> remote computer to bring it down.
>
> ProcKill-
> Terminates the processes of
> anti-virus and security products.
> May also delete files associated
> with such applications.
>
> PWS- Steals a password.
>
> Reboot- Reboots the computer.
>
> Reg- Modifies the Registry in an
> undesirable fashion without asking
> questions. For example, reduces the
> security settings or creates
> abnormal associations or sets.
>
> Spam- Acts as a spamming tool.
>
> Spyware- Monitors browsing habits or other
> behavior and sends the information
> out, often for unsolicited
> advertising.
>
> Uploader-Sends files or other data from the
> computer.
>
> Vtool- Denotes a program used by virus
> writers or hackers for developing
> software.
>
> Zap- Wipes all or part of a hard disk.
>
>
> INFIX
>
> These designations usually appear in the middle
> of a virus name. AVERT assigns these
> designations, which differ from industry
> conventions.
>
> .cmp. Companion file that the virus adds
> to an existing executable file. Our
> anti-virus software deletes the
> companion file to prevent later
> infections.
>
> .mp. Legacy multi-partite virus for
> DOS.
>
> .ow. Overwriting virus. This identifies
> a virus that overwrites data in a
> file, thereby irreparably
> corrupting it. This file must be
> deleted.
>
>
> SUFFIX
>
> These designations usually appear as the last
> part of a virus name. A virus name can have
> more than one suffix. One might designate a
> variant, for example, while others give
> additional information.
>
> @M Slow mailer. This virus uses an
> e-mail system to spread. It usually
> replies to an incoming message
> once, or attaches itself to an
> outgoing message, or sends to just
> one e-mail address.
>
> @MM Mass mailing distribution. This
> virus might use standard techniques
> to propagate itself, but also uses
> an e-mail system to spread.
>
> .a - .zzz Virus variants.
>
>
> In accordance with the CARO (Computer
> Anti-virus Research Organization) naming
> convention, the vendor-specific suffices can be
> preceded by a "!" character. Our software uses
> the following suffices:
>
>
> apd Appended virus. A virus that
> appends its code to the file it
> infects, but fails to provide for
> correct replication.
>
> bat Software component in BAT
> language.
>
> cav Cavity virus. This designates a
> virus that copies itself into
> "cavities" (for example, areas of
> all zeroes) in a program file.
>
> cfg Configuration component of an
> Internet Trojan-horse program
> (frequently of a 'BackDoor-').
>
> cli Client-side component of an
> Internet Trojan-horse program
> (frequently of a 'BackDoor-').
>
> dam Damaged file. A file that is
> damaged or corrupted by an
> infection.
>
> demo Program that demonstrates
> potentially harmful action, such as
> an example of how an exploit
> works.
>
> dr Dropper file. This file introduces
> the virus into the host program.
>
> gen Generic detection. Native routines
> in our software detect this virus
> without using specific code
> strings.
>
> ini An mIRC or pIRCH script when it is
> a component of another virus.
>
> intd "Intended" virus. This virus has
> most of the usual virus
> characteristics but cannot
> replicate correctly.
>
> irc IRC component of potentially
> harmful software.
>
> js Potentially harmful software
> component in JavaScript.
>
> kit Virus or Trojan-horse program
> created from a 'virus construction
> kit'.
>
> p2p Potentially harmful software that
> uses peer-to-peer communication to
> function. For example, Gnutella and
> Kazaa.
>
> sfx Self-extracting installation
> utility for Trojan-horse programs.
>
> src Viral source code. This ordinarily
> cannot replicate or infect files,
> but some virus droppers add this to
> files as part of the infection
> cycle. Our products routinely flag
> files with additional code of this
> sort for deletion.
>
> sub Substitution virus. It substitutes
> the host file with itself, so that
> all infected hosts are of the same
> size and are a pure virus. (That
> is, a subclass of overwriting
> viruses.)
>
> svr Server-side component of an
> Internet Trojan-horse program,
> often of a 'backdoor'.
>
> vbs Potentially harmful software
> component written in Visual Basic
> Script language.
>
> worm A non-parasitic virus that copies
> itself, or a virus that propagates
> through a network by copying to
> remote computers or by sending
> itself out via any means of file
> transmission such as remote shares,
> peer-to-peer, instant messaging,
> IRC file transfers, FTP, and SMTP.
>
>
> GENERIC DETECTIONS
>
> Our software detects a huge amount of
> potentially harmful software proactively and
> generically. In most cases, such objects are
> successfully cleaned even without AVERT ever
> receiving a sample. Such detection is denoted
> by "Generic" in the name or a "gen" suffix.
>
> To submit a sample to AVERT, visit the AVERT
> home page. See "CONTACTING MCAFEE SECURITY &
> NETWORK ASSOCIATES".
>
>
> HEURISTIC DETECTIONS
>
> Our software detects a huge amount of new
> potentially harmful software heuristically.
> Such detection is flagged using the "New"
> prefix to the name (for example "New Worm" and
> "New Win32").
>
> To submit any sample that was detected
> heuristically, visit the AVERT home page. See
> "CONTACTING MCAFEE SECURITY & NETWORK
> ASSOCIATES".
>
>
>
>
>
- Next message: deke: "Re: agobot; spybot"
- Previous message: David H. Lipman: "Re: agobot; spybot"
- In reply to: David H. Lipman: "McAfee's Naming Convention of Computer Viruses, Worms and Trojans"
- Next in thread: David H. Lipman: "Re: McAfee's Naming Convention of Computer Viruses, Worms and Trojans"
- Reply: David H. Lipman: "Re: McAfee's Naming Convention of Computer Viruses, Worms and Trojans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
