Difficulties in Naming Viruses

A search of Anti-Virus websites on the 14th and 15th March showed alerts about a confusing number of virus names, but, it became clear, the alerts were about a single virus. Differences in naming are common, and users frequently ask for unified naming. On the whole, anti-virus researchers agree that unified naming would be good, but, so far, it has proved impossible. Let us take W32/FBound as an example, and examine the reasons for the differences.

Below is a listing of the names and the companies' sites they were taken from. The names in brackets are listed on the sites as aliases. The companies are in no particular order. So, it appears that the author included his (or her) suggested name in the virus itself, Symantec, at different times, called it by three different names, Trend Micro by another three, and so on.

Before examining the list in detail, it is worth looking at the naming standard defined by the Computer Anti-Virus Research Organisation. They recommend:

• No personal or company names
• No rude or obscene words
• Do not follow the author's suggestion
• Use the form Platform/Family.Size.Variant@Suffix

The parts of the name are:

Platform: The environment or platform that the virus requires, such as W32 for 32-bit Windows (i.e., Windows 95, 98, NT, 2000 etc.) or VBS for Visual Basic Script.

Family: A name for the family of related viruses. It must not clash with the name of any existing, unrelated virus. Normally, the first researcher to identify the family names it.

Size: For binary file viruses, the size, in bytes of the virus code.

Variant: A letter or letters assigned sequentially as variants are identified. So, the first variant is .A, the second .B, the twenty-seventh .AA and so on.

Suffix: If a virus emails itself to addresses individually, the suffix m for "mailer" is used, if it emails itself to many addresses (for example, the whole address book), the suffix mm for "mass mailer" is used.

So, this defines the structure of the name, and most companies follow this (with minor variations in punctuation, like "." instead of "/"). Trend Micro is a notable exception; first, they use different abbreviations for the platform (e.g., PE for Portable Executable instead of W32), second, instead of the platform they might use the type of malware: TROJAN or WORM. Understanding the company's naming conventions, we can realise that WORM_FBOUND.C and W32/Fbound.C both refer to the third variant in the Fbound family.

What happened with FBound? At the beginning of March, two viruses were discovered and Trend Micro initially called then FIDAO.A and JAPANIZE.A. Other companies realised that they were variants in the same family, and called them Fbound.A and B. Trend changed their naming to follow the consensus.

On 14th March, a minor variant of FBound, very similar to FBound.B, started spreading rapidly. I cannot be certain who saw it first; certainly the first alert I saw was from Trend Micro, calling it WORM_FBOUND.B. Network Associates soon warned about W32/Fbound.c@MM, and MessageLabs about W32/Impat.A-mm. Symantec warned about W32.Dotjaypee@mm. So, initially MessageLabs and Symantec thought they had isolated a new family, and Trend Micro considered the virus to be the same as one they already identified. After further investigation, the relationships became clearer, however, Symantec was already using the name Impo for this family, and Kaspersky uses Zircon. Then, it was realised that Impo has rude connotations in Japanese, as an abbreviation for Impotent, so Symantec changed their name again to FBound.

A further complication is the use of generic identification. Symantec actually reports W32.FBound.gen@mm, the gen stands for "generic", and it will give the same name for the A, B and C variants. Generic detection is good - designing a product so that it can detect variants of known viruses makes sense. Researchers disagree on whether generic identification is good - once the virus has been detected, is it necessary to test further until the exact variant has been identified, or is it OK to report "Family.gen"? I will not cover the full arguments on both sides here. The result in this case is that Symantec's use of generic detection and reporting of aliases used by other companies makes it appear that Trend Micro used three different names for one virus: FIDAO, JAPANIZE and FBOUND. In reality, they used different names for two variants, and later standardised them.

Who is right? Well, today almost all companies agree that Fbound.C was the virus that spread rapidly on 14th March 2002, just Kaspersky prefers the family name Zircon. Most of the confusion happened in the first day and at that point the important task was to get the thing detected. Anti-virus products have to give some name when the virus is found, it would make no sense to wait four days, until the naming was sorted out, before releasing the updates! Some things could have been done better: Trend Micro should have known not to use the author's suggestion. In this case, the problem originated at the beginning of March, when companies started using Fbound, Impo and Zircon as names for uncommon viruses, but it only became an issue when the fast-spreading third variant appeared, there are probably many other cases where there are unrecognised differences in naming.

I hope this illustrates that the anti-virus companies are not making the names different to be difficult, there are real constraints that cause the complexity and confusion. There are disagreements about the naming of species in biology, but there the issues can be worked out over months or years.

Finally, this is just one recent example and specific details, such as which company sent the first warning, or did not immediately recognise the relationship between variants are not general indicators of that company's performance on other occasions.

Alternative Names