understanding virus names

Discussion in 'other security issues & news' started by Rita, Dec 22, 2004.

Thread Status:
Not open for further replies.
  1. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Understanding virus names

    Antivirus vendors generally assign virus names consisting of a prefix, the name, and a suffix. Not all vendors follow this convention, however, and even those who do may sometimes use different designators. When attempting to find information about a particular virus, it can be helpful to understand how the names are formed.
    The prefix
    The prefix (when used) identifies the type of virus or malware it is. W32 or Win32, for example, denote that it is a Windows 32-bit infector and thus impacts Windows 95, 98, 2000, 2003, XP, Me, NT 4.0. Those that impact only Windows 95/98 often have prefixes of W95. Other vendors apply prefixes that are more indicative of the type of threat, rather than the platform it infects. For example, a TROJ prefix implies the file is a Trojan Horse, an I-Worm prefix indicates it is an Internet/email worm, and OM signifies that it is a Microsoft Office macro virus.

    W97M, WM, X2KM are other examples of macro virus prefixes that denote both the fact that it is a macro virus and provides clues as to what versions of Office (or products within Office) are impacted. For example, an X2KM prefix in a virus name indicates that it is a macro virus impacting the Office 2000 version of Excel.

    The prefix is usually separated from the name by an underscore, a period, or a slash.

    The name
    Following the prefix is the actual name of the malware. For example, W32/Bagle has a prefix of W32 and the worm itself is dubbed Bagle.

    The suffix
    Many viruses belong to the same family but are slightly different. To differentiate between these variants, antivirus vendors assign an alphabetical suffix. The original virus (or worm, Trojan, etc.) generally does not have a suffix assigned until after further variants of the same threat are discovered. For example, W32/Bagle became W32/Bagle.A after the 'B' variant was discovered.

    Subsequent variants are assigned descending letters of the alphabet, i.e. Bagle.A, Bagle.B, Bagle.C through to Bagle.Z. When the end of the alphabet has been reached, the count starts over. Thus, following Bagle.Z will be Bagle.AA, Bagle.AB, Bagle.AC, etc. The third pass through the alphabet would begin with Bagle.BA, Bagle.BB, Bagle.BC, etc. This will repeat as many times as necessary. As of October 2004, the prolific Gaobot variants had reached W32/Gaobot.BOW.

    The suffix is generally separated from the virus name by either a period or a dash.

    The modifier
    Some vendors also add a modifier after the suffix that further describes what type of malware it is. For example, @mm signifies a mass-mailing email worm and @dl is used by some to designate a downloader.

    Using the above information, we can quickly see that W32/Bagle.BB@mm is a Bagle variant that is a mass-mailing email worm impacting Windows 32-bit systems.

    One virus, many names
    It's one thing to understand how the name is constructed, but what if you are looking for information on the threat? It's important to remember that different vendors assign different names to the same virus. Thus when searching for information on a particular virus, it is imperative that both the vendor and the virus name be referenced.

    For example, if using a search engine to find information on Bagle.AT, make sure you also include the name of the vendor that identified it as such. Otherwise, a generic search on Bagle.AT could lead you to information that did not pertain to the particular virus your antivirus software had identified. What Trend Micro calls WORM_BAGLE.AT is W32/Bagle-AU to Sophos, W32/Bagle.bb@mm to McAfee, Win32.Bagle.AQ to Computer Associates, and I-Worm.Bagle.at to Kaspersky. Antivirus vendor Symantec not only considers it a different variant, they also have assigned a different name to the worm family. Instead of Bagle, Symantec persists in calling the family Beagle, thus the Bagle.AT variant used in this example is W32.Beagle.AW@mm to Symantec.
     
  2. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    With some virus scanners, you can actually view a list of known viruses and read about their ability. I know Norton Personal Antivirus once did so.

    Great post Rita ;)

    Jimbob
     
  3. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Thanks Jimbob :)
     
  4. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Great post Rita! One site you can use to look up viruses by name and vendor--

    vgrep
     
  6. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Does anyone know approximately how many viruses actually exist?

    Jimbob
     
  7. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Thanks for link Ron
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    F-Prot lists the most that I know of. These are known including destructive programs. More are being written everyday.
     

    Attached Files:

  9. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Thats a lot of mess for us to cleen up.

    Jimbob
     
  10. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I'm not cleaning that up. I'm preventing this mess.
     
  11. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Good point, didn't see it from that angle.

    Jimbob
     
  12. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Correct. ;)
    Prevention is always better than cure.
     
  13. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I remember seeing a list in 1995 of all the viruses that had been found and named before then. I bet the rate at which entries are entered to this list must have increased at such a rate since.

    Jimbob
     
  14. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    In the blink of an eye a new virus is already spreading, that's how fast it is.
     
  15. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    Niggling little virus around at the moment......
    W32Jimbob.D@mn
    Lurking around a couple of forums just waiting to pounce! :D :D :D :D
    Cheers JB,
    Buck.
     
  16. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    LOL!!! :D
    W32Jimbob.D@mn
    Security risk: Extremely critical
    If you see Jimbob1989 anywhere here, its a deadly virus. Please ensure your system is up-to-date to protect against Jimbob. :D
     
    Last edited: Dec 25, 2004
  17. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Removal of W32.Jimbob.D@amn
    1. Burn the place down to the ground.
    2. Salt the earth to make sure that nothing ever grows again.
    3. Run away like hell.
    4. Pray... Pray... Pray...

    Seriously tho'
    Anyone knows any offline virus encyclopedia? I've been looking for one for months now.
     
  18. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Intelligent Updater:
    Virus Definitions created December 25
    Virus Definitions released December 25
    Norton Antivirus Christmas Edition:
    Defs Version: 61224f
    Sequence Number: 39676
    Extended Version: 12/25/2004 rev. 6
    Total Viruses Detected: 68592 + 1(new)
    New virus added to detection list: W32Jimbob1989@mm
    Norton Antivirus will detect and remove all traces of Jimbob from your computer as a special christmas offer!

    Have a nice day,
    From Symantec
     
  19. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    and.........avoid 10F like the plague!
    :D
     
  20. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Actually, if I was a internet nasty, would I not be a bot that works its way through forums.

    Jimbob
     
  21. Ga1tar

    Ga1tar Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    118
    Location:
    U.K
    A good nasty would be working inside the very industry set-up to eliminate them. As no-one would be looking at an insider spreading doom and gloom
     
  22. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    :ninja: Not me :ninja: *Jimbob says as Ga1tar is removed by 2 largely built men*

    Jimbob
     
  23. Ga1tar

    Ga1tar Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    118
    Location:
    U.K
    :D nice one, another one bites the dust
     
Loading...
Thread Status:
Not open for further replies.