Virus Naming. The "Who's who?" Dilemma (1)

Got new malware. What shall we call it?

Anyone who has ever created something new is granted the
right to baptize it. However, given that they are born under the sign of
destruction and disruption, viruses are an exception to this rule.

Normally, you would not expect anything in the “John jr.”
vein. Any hint as to the identity of virus creators would probably get them
into trouble.  Plus, in order to avoid
adding to the glory of malware authors antimalware producers will probably
re-name the malware samples they discover. And the naming trouble does not stop
here. A scenario where several antimalware labs simultaneously conduct research
on the same new malware sample is not that uncommon. In this case, the first to
publicly announce the discovery gets to give it a name.

Aside from creativity and authorship, virus naming also
raises the issue of utility. Confronted with an overwhelming malware
population, researchers and antimalware producers have understood how important
it is to approach the naming process systematically. All in all, simple logic
calls for malware names that contain information the industry can recognize:
the affected platform, the virus family name and its spreading method.

regulatory attempt: the Caro System
In a 1991 meeting of Computer AntiVirus
Researcher Organization (CARO), a New
Virus Naming Convention
was agreed upon and it was supposed to provide a
means of avoiding the confusion generated by the lack of uniform regulations in
the virus naming process. According to this document, a full virus name should
have the following format:


Here is an example
of a virus name that complies with this model:

Stoned. Michelangelo.A

Virus Names

Though it appears to provide a clear solution to the
naming problem, this format is likely to raise uniformity- related issues as
well. A first grey area that the authors of the convention admit to is the
“family name” section:
attempt is made to group the existing viruses into families, depending on the
structural similarities of the viruses, but we understand that a formal
definition of a family is impossible

Starting from this inherent fallacy of the system, the
authors provide a few guidelines on how to choose a relevant family name:

  –  the use of brand,
company or individual’s names is forbidden (unless there is proof that the
individual actually created the virus),

existing virus family
names should be considered carefully to avoid confusion (does the virus belong
to that family? is the sample actually new or does it belong to an existing

  –  dates, geographic and
numeric names should be avoided because they can be misleading

The principles of agreed authorship and of utility are
clearly stated as a viable solution: If
multiple acceptable names exist, select the original one, the one used by the
majority of existing anti-virus programs or the more descriptive one

(to be continued)

About the author

Sabina DATCU

Sabina Datcu, PhD has background training in Applied Informatics and Statistics, Biology and Foreign Languages and Literatures. In 2003 she obtained a master degree in Systems Ecology and in 2009 a PhD degree in Applied Informatics and Statistics.
Since 2001, she was involved in University of Bucharest's FP 5 and FP6 European projects, as researcher in Information and Knowledge Management field.

In 2009, she joined the E-Threat Analysis and Communication Team at BitDefender as technology writer and researcher, and started to write a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases.


Click here to post a comment