Malware Naming and Authorship

When a new piece of malware is spreading, the top priority of anti-virus companies is to provide an effective defense, quickly. Coming up with a catchy name for the malware is a secondary concern.

Typically the primary, human-readable name of a piece of malware is decided by the anti-virus researcher who first analyzes the malware. Names are often based on unique characteristics that malware has, either some feature of its code or some effect that it has.

For example, a virus' name may be derived from some distinctive string that is found inside it, like "Your PC i s now Stoned !" Virus writers, knowing this, may leave such clues deliberately in the hopes that their creation is given a particular name.

Anti-virus researchers, knowing this, will ignore obvious naming clues so as not to play into the virus writer's hand. There is no central naming authority for malware, and the result is that a piece of malware will often have several different names.

Needless to say, this is confusing for users of anti-virus software, trying to reconcile names heard in alerts and media reports with the names used by their own anti-virus software.

To compound the problem, some sites use anti-virus software from multiple different vendors, each of whom may have different names for the same, piece of malware.

Common naming would benefit anti-virus researchers talking to one another too. Unfortunately, there isn't likely to be any central naming authority in the near future, for two reasons.

First, the current speed of malware propagation precludes checking with a central authority in a timely manner. Second, it isn't always clear what would need to be checked, since one distinct piece of malware may manifest itself in a practically infinite number of ways.

Recommendations for malware naming do exist, but in practice are not usually foUowed, and anti-virus vendors maintain their own separately-named databases of malware that they have detected.

It would, in theory, be possible to manually map malware names between vendors using the information in these databases, but this would be a tedious and error-prone task. A tool called VGrep automates this process of mapping names.

First, a machine is populated with the malware of interest. Then, each anti-virus product examines each file on the machine, and outputs what (if any) malware it detects. VGrep gathers all this anti-virus output and collates it for later searching.

The real technical challenge is not collating the data, but simply getting usable, consistent output from a wide range of anti-virus products. The naming problem and the need for tools like VGrep can be demonstrated using an example. Using VGrep and cross-referencing vendor's virus databases, the partial list of names below for the same worm can be found.

Bagle.C Email-worm.Win32.Bagle.c W32/Bagle.c@MM W32.Beagle.C@mm WORM_BAGLE.C Worm.Bagle.A3

These results highlight some of the key identifiers used for naming malware.

  • Malware type. This is the type of the threat which, for this example, is a worm.
  • Platform specifier. The environment in which the malware runs; this worm needs the Windows 32-bit operating system API C'W32" and "Win32"). More generally, the platform specifier could be any execution environment, such as an application's programming language (e.g., "VBS" for "Visual Basic Script"), or may even need to specify a combination of hardware and software platform.
  • Family name. The family name is the "human-readable" name of the malware that is usually chosen by the anti-virus researcher performing the analysis. This example shows several different, but obviously related, names. The relationship is not always obvious: "Nachi" and "Welchia" are the same worm, for instance.
  • Variant. Not unlike legitimate software, a piece of malware tends to be released multiple times with minor changes. This change is referred to as the malware's variant or, following the biological analogy, the strain of the malware.

Variants are usually assigned letters in increasing order of discovery, so this "C" variant is the third B[e]agle found. Particularly persistent families with many variants will have multiple letters, as "Z" gives way to "AA." Unfortunately, this is not unusual - some malware has dozens of variants.

  • Modifiers. Modifiers supply additional information about the malware, such as its primary means of propagation. For example, "mm" stands for "mass mailing."

The results also highlight the fact that not all vendors supply all these identifiers for every piece of malware, that there is no common agreement on the specific identifiers used, and that there is no common syntax used for names.

Besides VGrep, there are online services where a suspect file can be uploaded and examined by multiple anti-virus products. Output from a service like this also illustrates the variety in malware naming.

Worm/Mydoom.BC Win32:Mytob-D I-Worm/Mydoom Win32.Worm.Mytob.C Worm.Mytob.C Win32.HLLM.MyDoom.22 W32/Mytob.D@mm W32/Mytob.C-mm Net-Worm.Win32.Mytob.c Win32/Mytob.D Mytob.D

Ultimately, however, the biggest concern is that the malware is detected and eliminated, not what it's called.


People whose computers are affected by malware typically have a variety of colorful terms to describe the person who created the malware. There's a distinction to be made between the malware author and the malware distributor.

Writing malware doesn't imply distributing malware, and vice versa, and there have been cases where the two roles are known to have been played by different people. Having said that, the malware author and distributor will be assumed to be the same person, for simplicity. Is a malware author a "hacker?"

Yes and no. The term hacker has been distorted by the media and popular usage to refer to a person who breaks into computers, especially when some kind of malicious intent is involved. Strictly speaking, a person who breaks into computers is a cracker, not a hacker, and there may be a variety of motivations for doing so.

In geek parlance, being called a hacker actually has a positive connotation, and means a person who is skilled at computer programming; hacking has nothing to do with computer intrusion or malware.

Hacking (in the popular sense of the word) also implies a manual component, whereas the study of malware is the study of large-scale, automated forms of attack. Because of this distinction and the general confusion over the term, this book will not use it in relation to malware.