Knowing how to decipher a virus name gives you a key to the way a virus works and your level of vulnerability. Viruses, like plants, usually have a common name and an official name. Unlike botanical names, viruses' official names aren't in Latin, but sometimes they can be pretty difficult to decipher, nevertheless.
For example, a worm commonly known as Gokar has the official moniker W32.Gokar.A@mm. That @mm suffix is there for a reason: It indicates the worm propagates by mass mailing itself via way of the victim's e-mail address book. Other mass mailers include Badtrans, Nimda, Sircam and Melissa.
You'll find other viruses have the slightly different extension @m. For instance, one of the variants of the well-known KakWorm virus is JS.KakWorm.E@m. That @m suffix indicates this worm is a slow mailer. Unlike mass mailers, which send out infected e-mails to every one of the victim's contacts, slow mailers send out infected e-mails one at a time or in small batches at intervals. This usually makes them less effective and you'll find mass mailers much more common these days.
By the way, the JS in JS.KakWorm.E@m indicates this virus is written in the programming language JavaScript; while the W32 in Gokar's official name indicates the virus is designed to run on any 32-bit Windows operating system (that includes Windows 95, 98, Me, XP, 2000 and NT).
What's in a name?
Virus names consist of a prefix, a name and a suffix. Here's an example:
W97M.Pacol.A
The prefix denotes the operating system or platform on which the virus runs or the type of virus it is. In this case, the W97M indicates it's a Word 97 macro virus. The name is the family name of the virus, in our example, Pacol. The suffix, which is not always present, distinguishes among variants of the same virus family and is also used to indicate whether the virus is an e-mail or mass mailing virus, as we've seen above. The A in this virus's name indicates it's the first of its family.
Who gets to name the virus? They're usually named by the discoverers, who are often anti-virus manufacturers. Because of that, some viruses end up with multiple names, depending on who gets there first.
Virus prefixes
Note that while a virus prefix indicates the main target platform, some viruses will run on other, similar platforms. For instance, an Excel 95 virus may well infect Excel 97 spreadsheets, too.
Standard virus prefixes are:
A2KM Access 2000 macro virus.
A97M Access 97 macro virus.
AM Access 95 macro virus.
AOL Trojan horse in America Online environment, usually designed to steal AOL passwords.
BAT Batch file threats.
Backdoor Threats allowing unauthorised access to computers on the Internet.
DDoS A Distributed Denial of Service attack which attempts to flood an Internet site with traffic from multiple machines on the net.
DoS Denial of Service attack.
HLLC High Level Language Companion viruses, usually DOS-based, which create a 'companion' file to the virus in order to spread.
HLLO High Level Language Overwriting viruses, usually DOS-based, which overwrite host files with the virus code.
HLLP High Level Language Parasitic viruses, usually DOS-based, which attach themselves to the host files.
HTML Viruses which attack HTML files.
IRC Threats spread via IRC (Internet Relay Chat).
JS Attacks written in JavaScript.
Java Attacks written in Java.
Linux Attacks targetted at Linux-based systems.
O2KM Microsoft Office 2000 macro virus.
O97M Office 97 macro virus.
OM Office macro virus.
PWSTEAL Password-stealing Trojan horses.
Palm Attacks targetted at Palm-based devices.
Trojan/Troj Trojan horses. Trojans don't replicate like viruses, Instead, they masquerade as regular programs while doing something nefarious (such as stealing passwords) in the background.
Unix Attacks targetted at Unix-based systems.
VBS Viruses written in Visual Basic Script.
W2KM Word 2000 macro virus.
W32 Viruses targetted at all 32-bit versions of Windows (all versions from Windows 95 on).
W95 Attacks targetted at Windows 95 machines (which may also affect other Windows systems, especially Win98 and WinMe).
W97M Word 97 macro virus.
W98 Attacks targetted at Windows 98 systems.
WM Word macro viruses.
WNT Attacks targetted at Windows NT system.
Win Attacks targetted at Windows 3.x.
X2KM Excel 2000 macro viruses.
X97M Excel 97 macro viruses.
XF Excel formula viruses (built on Excel 4 formulae embedded in newer versions of Excel).
XM Excel 95 macro viruses.
Virus suffixes
Standard virus suffixes include:
@m Virus or worm propagates via e-mail.
@mm Virus or worm propagates by mass e-mailing.
dr A dropper. A dropper is capable of creating and 'dropping' a virus onto a system, although it, itself, is not detectable as a virus.
Family A virus which shares most of its characteristics with other 'familial' viruses.
Gen Similar to Family.
Int A failed virus. The virus is INTended to spread, but doesn't due to bugs in its design.
Worm A worm, which propagates across a network or via another transport mechanism.
Becoming virus savvy
If you'd like to become more knowledgeable about viruses, put the
Symantec Security
Response site on your regular surfing schedule. This site is a goldmine of
information. It's a particularly useful resource when you receive a virus 'warning'
from a friend or colleague and you're not sure whether it's bogus or not, and
whether you should pass it on. A quick visit to
Symantec's
Hoax Center should tell you all you need to know.
© 2002, Rose Vines
Support geekgirl'sDo you find the tutorials on this site useful? If so, please show your support by kicking in a few bucks to sponsor an orphanage for Afghan refugees. For a small amount, it is possible to make a difference in an area of the world which is hurting badly. |
|
|
| Want to know more? Read this post on my blog. |