What's in a virus's name? Everything you need to know!

AnchorDesk

What's in a virus's name? Everything you need to know!

Robert Vamosi
Senior Editor, Reviews
Wednesday, January 9, 2002

Add your opinion

Forward in

Format for

Over the holidays, a single Internet worm made headlines, yet you may never have seen or heard its proper name: w32.Maldal@mm. Like a lot of other journalists, I opted to use the more popular names of Reeezak and Zacker. Not even the antivirus companies were consistent, as they referred to Maldal as Hallad, KeyLuc, Reeezak, and Zacker.

So how are you supposed to know what's attacking your system? Good question. To answer it, let's look at how a virus gets its name.

Computer viruses are assigned names according to a convention adopted by the Computer Antivirus Research Organization (CARO) in 1991. The CARO Naming Convention is the result of a committee consisting of virus experts Fridrik Skulason, Alan Solomon, and Vesselin Bontchev. Antivirus companies use the same basic convention, though they have tacked on their own prefixes and suffixes.

THE FIRST PART of the virus name designates what type of troublemaker it is--Trojan horse, Visual Basic script, or 32-bit Windows virus. This is followed by the specific name of the virus family, the group name, any known major or minor variations, and whether or not it's an e-mail virus or a mass-mailing virus. Hence we arrive at something that looks like this: W32.Anyvirus.A@mm. Translation: Anyvirus variation A is a mass-mailing, 32-bit Windows virus.

Back in mid-December, a rather minor worm appeared worldwide. Kaspersky Labs called it Hallad and Sophos called it Zacker, while the rest of the antivirus companies named it after a file the active virus created: maldal.exe. Usually, antivirus companies will announce a virus under one name, then change the name to conform with the industry convention. To stay on top of it all, antivirus software maker McAfee provides a list of all the known names of a given virus and the antivirus company naming it--it's a great resource.

NEEDLESS TO SAY, versions A and B of the Maldal worm did not produce spectacular results. They were large, about 80KB each, and contained bugs. Had it worked, the original version would have created countless bogus files named Sharoon (sic), Bush, and BinLaden, which would have shut down an infected computer. The second variation would have attempted to remove your antivirus software. Apparently learning from his or her mistakes, the virus author retooled and re-released Maldal version C just in time for the holidays.

Reeezak, as Maldal.C was first known, appeared to be unrelated to any previous virus, thus the initial designation: w32.Reeezak.A@mm. Within a few hours, however, further research showed that it was a solid variation of the Maldal family: It attempted to fill infected computer's hard drives with politically-themed bogus files and delete the system's antivirus software. Version C was slimmer than A or B (only 36KB) and invoked clever social engineering--it arrived as a holiday-themed e-mail. This version spread.

Maldal.C also redirected an infected computer's Internet Explorer browser to a Web page infected with a VBS script. Once loaded on a computer, the VBS script sent out a second round of e-mails, which were also politically themed. Whoever wanted Maldal to succeed apparently wanted their political opinions to spread as well.

AROUND THE START of the new year, yet another Maldal variation appeared. Popularly known as Zacker, Maldal.D is smaller still than A, B, or C (27KB); it fills the hard drive of an infected computer with bogus files, deletes the system's antivirus software, redirects Internet Explorer browsers to a VBS-script infected page, and deletes various file extensions. Gone, however, were the political messages--this version is meant to harm computers only, and may have been created by someone other than the author of the previous versions. Subsequent variations (E, F, G, and H) appear to be very minor variations of Maldal.D.

Though it sometimes gets confusing, I endorse the use of the popular names in headlines--for example, calling Maldal.C Reeezak--because it's easier to remember. I'd rather you hear a catchy name and finally get interested in using antivirus software than think a new virus is just a variation of an older one--and that you don't have to worry about it. After all, you can always turn to AnchorDesk and other ZDNet publications to get the scoop on the details later.

Are you protecting your PC against all the viruses out there? If not, why not? TalkBack to me.

Special sponsor stores

Dell Home

Disaster Recovery
Many companies still ill-prepared for disasters Read the study at TechRepublic
10 items for your disaster recovery wish list We all have to address disaster recovery (DR) at various levels, but we typically must apply the technology to fit rigid parameters. But what if you didn't have any limitations to hold you back? Read the post at TechRepublic
From our sponsors
Disaster Preparedness
How to Develop a Business Continuity Plan Review a five step process to develop a comprehensive business continuity plan Click here to find out more!