+==================================================+ I Independent Virus Naming Convention 2002 I I written by Nikolaus Rameis (spam@niksoft.at) I I draft v0.6a I +==================================================+ INTRO: ====== "Malware Naming Convention" would have been a better name, cause it includes serveral extentions that are not directly related to viruses, but often the term "virus" is (mis)used as over-topic (malware is the correct term - so maybe i'll change the name later). This paper is a suggestion of a new (and hopefully better) virus naming convention. Many parts build upon the NVNC91 and VNC99b2. // This paper does not deal with the family name of malware, // but maybe in future versions. As noted this paper is only a draft at the moment. ...and currently it's quite a mess !COMMENTS and IMPROOFMENTS EXPECTED! // this is a comment, not worked out probably yet or possible not nessesary. // due to the fact, i'm not a very precise writer this paper will have many grammar // or spelling mistakes. so plz, don't take it seriously! ...and send me the correction(s) :) SYNTAX: ======= PLATFORM.TYPE.SUBTYPE/family_name/COMPONENT THE MAIN RULE: "take the first that fits" Always take the first PLATFORM, TYPE, SUBTYPE, COMPONENT, etc that fits (or in less cases fits the main function of 'the' program!) - all cathegories are sorted. (eg: Klez.h is a worm (spreads via network(mail)) and drops Elkern.c as payload so it's a worm, but not a dropper or virus.) // should i move this to 'family name' chapter? Always use the long name. Don't use abbreviations to avoid multible similar names eg: Bd.Sub7, Bkdr.Sub7, Backdr.SubSeven, Backdoor.SubSeven, ... Write numbers if they are part of a name. eg: use "Seven" and not "7". // ...last line is for family names considered /* Don't use any words that describes PLATFORM, TYPE, SUBTYPE or COMPONENT for a virus name. */ // Kaspersky uses some kind of "reverse" naming eg: // Constructor.BAT.BVGen, Constructor.DOS.EasyTroj, Trojan.Win16.TaskKiller // i don't like it very much. // "TrojanDropper.Boot.InstallDisk.a" what's part of type and what's the name? for a malware collection i suggest to create these directories: TYPE/PLATFORM/SUBTYPE/family_name/variant... (if there is no SUBTYPE use "none") this will makes it easy if you want to scan only for viruses or only for trojans. PLATFORM: ========= describes the (minimum required) OS or "Runtime-Evironment" for a malware to run group 1: operating system Boot (MBR, (partion) boot sector, floppy br) - no os but, fits best here TYPE of BOOT can only be "virus". // what's up with bootvirus droppers? DOS (all DOS-malware *.exe, *.com, *.ovl, ...) W16 (NE, maybe better than 'W3x' - erases any confusions) // all "32bit" m$ oses (but we all know not all are fully 32bit W95 (PE, 9x-based) // ranking due to historical reasons... WNT (nt-based - nt4.0) // W98 (9x-based) - maybe not nessesary // WME (9x-based) W2k (nt-based) WXP (nt-based) W32 (PE, if it is able to infect/run? under all 9x AND nt-based windows versions) // any malware that runs on 9x-based systems and not under nt will // have the PLATFORM W95! // any malware that runs on nt-based systems and not under 9x will // have the PLATFORM WNT! // i guess many vendors won't care this :( // does bridex count as W95? cause it crashes on nt (due to less access priviledges, afair) ELF (usually linux x86elf) - contradiction ELF is a file format and no "OS or runtime environment" // they all use ELF afaik, don't know if it will be nessesary \ // to split ELF up in LIN, BSD, UNX and others - btw, does BSD use a different format? // LIN // BSD // UNX/UNIX - personally i prefer "Three Letter Acronyms" :), but we want to stick /7 to "always use the long name" and thus i recommend the use of "UNIX". // if it runs on all main variants it's ELF. otherwise it will be BSD, // UNX or LIN (are there any other unix-like variants?) // what about kernel and glibc version number and related "stuff"? also // important to know if you "want" (or unwanted :) to run a malware MAC# (version number needed?) MACX (MacOS X - 10.x) NLM (novel) OS2 PALM group 2: pseudo op-code (have some kind of compiled code, but need an VM) // - does not include visual basic-stuff. vb programs have a NE or PE-Header! JAVA NET (for ".NET"'s IML, the leading dot is idiotic) // ...m$ cought another common word like "windows" SWF (the first SWF-virus uses a debug-script to spread, but as long as it needs the flash player as "OS" to be launched i consider it in group 2.) group 3: script (needs an interpreter to run; source is usually readable) BAT (DOS batches) // BATw/BW ("DOS" batches but makes use of functions that are only under win available?) // anyone have a better name? CMD (batches designed to run under CMD of NT/2K/XP, usual file extention *.cmd) // do we need to differ between nt, 2k, xp? JS (javascript) VBS (visual basic script) BASH (linux & co) PERL group 4: macro (script language of an application(s) (eg: word, excel...)) W#M (word) * X#M (excel) * X#F (excel formula) * A#M (access) * P#M (powerpoint) // O#M (office) * ... shall we call it VBA? AMI# // i don't know of any version(s), plz correct me - isn't that part of lotus? MIRC LOTUS // same case as AMI# * you must substitue "#" with the minimum required app-version: 2, 6, 97, ... 2K and XP should not be used, cause there are only minor differences, but use them if nessesary). leave "#" empty if it runs under all versions (i don't know of any) group 5: anything else // HLP -don't know if it could be considered as op-code or macro // CHM "complied HLP" or similar. can someone enlight me? // HTML eg: for the IFRAME-exploit - imho it's an exploit of IE and so W32-platform specific! // imo HTML can not be considered as script or platform // // eg: HTML.Exploit/IFRAME, W32.Exploit/IFRAME // or HTML.Malware.Exploit/IFRAME pro: HTML "runs" on IE, ergo it's script // or W32.Malware.Exploit/IFRAME pro: it does run only under IE which runs under W32 // "There is possibly no end of this platform list. New platforms should be introduced as neccessary. A new platform name should not exceed 5 letters and should always kept uppercase" (taken from VNC99b2.txt) // whats up with WINUX (written by 'Benny/29A') or other multipartie viruses? // ELF+W32, BOOT+DOS? // or make up a new PLATFORM? ELFPE , BDOS? // or upper/lower-case notation: ElfW32, BootDos, W97mX97m (which will save us one "+" // charactar -uuhh!! :) ...same problem as mentioned in vnc99 // // the last seems to be the best: // it reports clearly all platform that the malware runs on. // negative aspect: it will enlarge the name. // i simply suggest to note them in alphabetical order! TYPE (and SUBTYPE): ================= // personally i tend to cancel SUBTYPE and substitue it with a family name // eg: W32.Maleware/EXPLOIT.iframe (always use upper-case for this kind) note: it is not nesseary to specify a SUBTYPE, but if it fits the description include it in the name. Test for testing purposes only - so usually only the EICAR test pattern eg: DOS.Test/EICAR-TEST-FILE // i have a simply dummy program that displays a message box "hi i'm a dummy". // i useed it to verify that my crap scanner is able to terminate a malware // it's reported as W32.Test/Condors-Test-Dummy. suggested report style: "XY identified as EICAR test pattern" FalsePos if a scanner wants to report false positives. a not very important TYPE. // afair, the ikarus scanner is able to show "negative signatures" eg: W32.FalsePos/Whatever Joke a program that does nothing harmful apart from shocking the user includes also programs that demonstrate the sound or visual effects of a malware. eg: DOS.Joke/Bugjoke, W16.Joke/Bonus // need to change definition ! -> see my current thread with kurt wismer Virus anything that replicates from file to file (exception: this includes BOOT) // this catheorgie is default so you don't have to report is as // "PLATFORM.Virus/XY"; "PLATFORM/XY" is enough. this will avoid a mass renaming // of existing names (most are too lazy to do :), but i'd prefer to use it i think it would be a good idea to introduce this TYPE. eg: W95.Virus/CIH, DOS.Virus/Vienna // need to change definition ! -> see my current thread with kurt wismer Worm program which usually does not replicate on the same computer but spreads over networks. worms are allowed to replace certain files (eg: WSOCK like happy99 did), which don't classify them as "overwriting viruses". eg: W32.Worm/Tanatos/mm, W32.Worm/Badtrans.a/mm Dropper no virus but a program which drops a malware (usually a virus) includes so-called 'germs' and 'injectors' (to simplify it) eg: DOS.Dropper.Boot/Parity.b // includes joiners/joined apps: // eg: a sub7-server was joined with notepad.exe // if the scanner detects the joiner, it's a dropper // if the scanner is able to unpack the joiner, it will reports the // malware in it - in this example it would be the sub7-server. // -> or maybe put into "Trojan" section? because usually those progs // give themselves as "Speed up Your internet!!" or similar crap. // BTW: constructors and droppers! // what kind of TYPE should be used for them the PLATFORM that the constructor/dropper // runs on or the created malware runs or. // dropper: PLATFORM the dropper runs on, but where do we mention the dropped stuff? // same applies to constructors // questionable if nessesary at all - personally i tend to cancel the subtypes SUBTYPES for Dropper (to specify what is dropped): Boot - drops a boot virus Virus Worm Joke - the following are not very likely Backdoor Trojan Intended Malware Test FalsePos // -- or shall we specify "where" it's been dropped -what is the target: Boot File Script Macro Malware // hm ... *gummel* no real target Joke Backdoor a program that opens a backdoor (usually listens on a port and wait for his "master"); includes the client-part of backdoors. eg: W32.Backdoor/SubSeven.v21/srv Trojan present itself as something harmless and/or have a (possible hidden) harmful routine. eg: password stealer or batches that execute a "format c: /u /autotest" eg: DOS.Trojan/AIDS Intended a program which is intended to be a virus but does not replicate for some reasons (or in general anything that misses it's (mostly bad) intention :) // includes other crap eg: from vx-sites // family_name suggestion: VX-CRAP or VX-GARBAGE // (i recommend upper case here, to indicate that's a widely used name) eg: DOS.Intended/Jerusalem, DOS.Intended/Weirdo // better (form the reseacher's point of view) would be like f-prot does: // "XY is a corrupted or intended TYPE" // from the view of a collector the exact name would be better :) // no-virus maybe a better discription. many collectors don't know what // "intended" mean. Malware simply the rest. a not closer specified malicious program or a malware that doesn't fit any other cathegorie. eg: constrution kits, flooder, (D)DoS, ... // maybe there will be added more subtypes, questionable if they are // nessesary at all! eg: W32.Malware/Whatever SUBTYPES for Malware: Exploit a malware that uses exploits a bug to run, crash, intrude (or whatever) a system. eg: W32.Malware.Exploit/Iframe Constructor program that is designed to create other malware eg: any part of IVP // EXCEPTION: the PLATFORM of Constructor will be the PLATFORM of the // created malware! // good choice? eg: DOS.Malware.Constructor/NRLG, VBS.Malware.Constructor/SSIGW.v10 // DoS used for a (D)DoS-attack // Flooder used to flood anything (mailbombing, syn-flood...) // ===================== CRAP START ========================== // do we need this? the more i think the more i think it can be canceled SUBTYPE: ======== not every TYPE can have every SUBTYPE. (eg: a dropper can't drop itself. this would be rather a worm or virus :) eg: gen - generic: indicates that a special algorithim was used to detect this family. // if -due to generic detection- it's not possible to disinfect, i suggest a report like this: // "Unable to disinfect. Plz mail us a sample of this variant!" heur - heuristic: to indicate that some kind of heuristic or neuronal technic was used detect it. - designed to detect unkown viruses. // i suggest to report the "heur" detected stuff in this way: // "could be a new TYPE, plz mail us a sample!" //HLL - high level language (not widely used anymore - most worms are written in c/c++ but afaik no vendor uses HLL in it's name. ...and imho it doesn't matter that malware XY was written in a HLL - it says nothing about the dangerousness or maliciousness of the malware. on the other hand it helps cathegorising the stuff (recent examples: bugbear (c++), bridex (vb6)) // the following are imho not important, but maybe some vendors like to use them. s - subst files eg: happy99 substs wsock, but keeps a backup o - overwriting virus eg: trivial-family a - appendes - afair: eg vienna p - prepends - maybe not important to distingish between app and pre c - cave infector eg: CIH Subtypes for DROPPERS Boot Virus Script Malware // ===================== CRAP END ========================== FAMILY NAME: // VERY UNFINISHED! messy ============ this will be very hard stuff. :-/ who should rule how to name a virus? my suggestion is an Idependent Naming Organisation (maybe CARO, AVIEN, REVS, [insert list of all anti-virus organisations :] ... or the VGrep-Team, 'cause they have a big sample database, but i don't think they have the time for that huge work) the researcher that have found a new virus have to submit it to the INO and argue why this virus should be named as he suggested (eg: text string in virus body, payload, ...whatever) (i would stick to the "right of the first") the other members have one month to disagree (also have to argue) - otherwise the name will get standard and all other have to take this name. // maybe a very unrealistic point of view :) // ... will cause a lot of mail traffic *g* // how to find a new name: i'd prefer -against any norms- to use the name suggested by the virus author. this will avoid many naming conflicts (eg: Tanatos & BugBear) if it's a trojan/worm etc... take the filename if it doesn't change. if the author didn't name it take the first readable charateristic string from the malware's body (do not use names of apis or similar common things). the ideal name for a malware is when it's still unique when you strip off PLATFORM,TYPE, COMPONENT, .. (so the plain family name :). i recommend not to use names which sound or spelling is similar to an existing name (to avoid further confusions) use the author's name as main family name and the malware name as variant (same applies to stuff created with a kit (which is already common) - so take the kit's name as family name; etc... ) BUT recommendations and musts of vnc99 must be valid. so don't take names of normal os-components, famous people, etc... if it's only a variant of an already know malware, the name will be FAMILYNAME.NewName etc, ... /* --- note use upper case for any more "generic" familiy names VX-GARBAGE // kaspersky uses this CONSTRUCTOR EXPLOIT eg: W32.Malware/EXPLOIT.iframe DOS.Intended/VX-GARBAGE --- */ i consider family_name -refering to the NVNC91- as the following: "Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier]" the family_name may require a secound paper. the ideal family_name should be unique, even without PLATFORM.TYPE.SUBTYPE allowed charactars: A-Z, 0-9 in PLATFORMs a-z in names a-z (only one or two), 0-9 in variant or version number use "_" instead of a blank // personally i'd prefer "FamilyName" instead to "Family_Name" or "family_name" use "." to separate the name and variant (or TYPE and SUBTYPE) use "/" to separate general stuff eg. TYPE from family_name not recommended, but allowed #, !, @, &, -, *, +, (, ), =, : // I don't recommend to use filesize as variant-identifier // sometimes it's useful, but sometimes it complicates to find information // on a malware Use "v" if it's a version number eg: SubSeven.v21, SubSeven.v20 COMPONENT: // QUITE FINISHED ========== the COMPONENT can be left empty, but recomended to use to give a more detailed description. one is allowed to report more than one, but not recommended. many components should be separated by "." (in alphabetical order) possible types: considered for viruses and worms that spread via mail: mm mass mailer eg: loveletter m mailer, spreads via e-mail irc spreads via irc (i guess mostly mirc) kaza spreads via kaza p2p-network considered for backdoors, trojans and other malware (maybe also worms eg: bugbear) cli, client the client part -considered for backdoors srv, server the server part -considered for backdoors key, keylogger keylogger eg: the keylogger dll of bugbear, or says that it has a keylogger in it. pws, pwstealer PWStealer - it's able to steal PWs. I don't recommend to use "pws" if "key" fits to avoid confusions. dll a "harmless" dll file, but part of some kind of malware // dll: i don't think that any vendor will take the effort for "multiple" names... // eg: "W32.Worm/Tanatos/mm" (for the file %system%\####.exe) // "W32.Worm/Tanatos/mm.dll" (for the file %system%\######.dll) maybe also 'engines' like MtE, TPE, ... /* -- note: ----- PREFIXes are PLATFORM, TYPE, SUBTYPE INFIXes are not allowed (imo such things are silly within a virus/family name) SUFFIX is/are COMPONENT -- */ Recommended report style: ========================= // should be either extended or canceled (also the stuff inserted // sometimes in blocks above) in future versions. // i tend to cancel it. c:\file.exe identified as W95.Backdoor/SubSevern.v21/Client [UPXed] c:\file.exe could be W95.Backdoor/SubSevern.v21/Client [UPXed] c:\file.exe found W95.Backdoor/SubSevern.v21/Client [UPXed] and NOT in a crapy way (like eg norton does): c:\file.exe is infected with the "W95.Backdoor/SubSevern.21" virus! c:\file.exe is infected with the "Bloodhound.Backdoor.File" virus! generic and heuristic detection: c:\file.exe could be a variant of XY, plz mail us c:\file.exe could be new TYPE, plz mail us more infomation will only help virus writers to improof their code and we don't like this, do we? (eg: old ThunderByte AV showed the heuristic flags) Definitions: ============ Links & Sources: ================ http://members.chello.at/erikajo/vnc99b2.txt