Digg this story   Add to del.icio.us  
What's in a name?
Shane Coursen, 2001-07-09

If you think battling computer viruses is hard, just try naming them.

Discussing computer viruses with lay people can sometimes be difficult. Nearly every time I refer to the VBS/VBSWG.J@mm virus by its correct name, for example, I find myself forced to add, "You know, the Anna Kournikova virus."

Crossed wires over virus names is nothing new. The very first virus had no less than five different names. Imagine the confusion at the time: not only did pioneer anti-virus researchers have to analyze the 'Brain' virus, (now its officially accepted designation), they also had to wade through a grab-bag of aliases, as different analysts gave it different monikers. To some it was 'Pakistani,' to others 'Pakistani Brain,' or 'Lahore', 'Ashar', 'UIUC'.

In those very early years of antivirus work, names were typically descriptive of a virus' attributes. But there wasn't exactly a scientific basis for their selection. Before anybody knew it, there were many thousands of different names. Far more names than there were viruses.

Realizing a shoot-from-the-hip approach of naming computer viruses presented serious limitations in combating them, in 1991 a small group of antivirus researchers convened for the sole purpose of developing a standard for naming the beasts. That group, CARO (Computer Antivirus Research Organization) -- comprised of many leading authorities in the field of computer antivirus research -- continues to develop and refine computer virus naming standards today.

It's the CARO standard that gives us virus names like W97M/Pri.Q@mm.

The seemingly opaque name hides a wealth of information. 'W97M/' means this virus replicates under Microsoft Word 97. 'Pri' is the "family name," given by the individual who first 'discovers' or, more accurately, the first to announce the virus. '.Q' is the variant letter (there are now 27 or so known variants in the Pri family). '@mm' indicates this virus uses a mass-mailing technique to spread copies of itself.

All In the Family
Viruses showing structural similarity are said to belong to the same family. The first step a researcher analyzing a new virus must accomplish is to determine which of the nearly 10,000 already-defined families, if any, the virus belongs.

This is no small feat considering there are by some accounts currently close to 60,000 strains of computer viruses. It takes a keen eye and an even keener memory to ascertain a virus' family.

Assuming the researcher correctly concludes their virus does not belong to an existing family, they must then create a new family name. There are several very sensible rules when inventing a family name, and one of them states that the family name should not be a company name, brand name, or the name of a living person.

So ho do we explain the Anna Kournikova virus?

Very simply put, it's an incorrect reference to the virus officially designated "VBS/VBSWG.J@mm". VBS/VBSWG.J@mm isn't an attractive name. Its name shows no association to a famous tennis player. And for those of us in the antivirus industry who prefer to avoid glorifying computer viruses through names, that is exactly the point.

Still, incorrect names are sometimes established in the public consciousness early on. Even if an antivirus company were to revise their name, and call the virus by an official name, the chance of successfully getting the official name recognized by the masses as the name -- yet again -- is very small.

The question then becomes, do the antivirus software developers refer to the virus by its single official name, or do they also reference other names (including well-known names) as aliases? While this question seems basic, opinions differ.

Some say listing aliases is a good idea because it gives an end-user the ability to quickly determine if the virus is already known by another name. Those in favor of fewer names say aliases, thus naming confusion, can be avoided if use of aliases is discouraged.

While it is all well and good to develop standards, enforcing it is fraught with difficulties. Even if every antivirus company followed the naming standard religiously, enforcing the standard elsewhere is impossible. This is especially true today when it is not just the antivirus industry that regularly refers to the names of computer viruses.

Shane Coursen has worked in the field of antivirus research since 1992. He is currently CEO of WildList Organization International.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus