frisk@rhi.hi.is (Fridrik Skulason) (08/16/90)
It seems to me that we may soon be reaching the point where the number of virus-infected machines will start to decline, while the number of new viruses will grow as it has until now, doubling every 10 months or so. I don't know if everybody agrees with this, but what I was actually going to write about now is another subject - the naming of all the new viruses. How are virus names names selected ? This is becoming a problem in the PC world, where over 200 different virus variants are now known. The situation is not quite as bad in the Mac-world, where only 10 (or so) viruses are known, but this is a serious problem for anyone reporting a new virus. The possible methods include: I - naming by the virus author. Many viruses contain text strings within the code, which contain messages like "The Blood virus, version 1.02", or the name may be taken from other text strings within the virus: Aids, Aids II, Anarkia, Armagedon, Blood, Brain, Datacrime, Datacrime II, Disk Killer, Dyslexia, Fu Manchu, GhostBalls, Halloechen, Kennedy, MIX1, Murphy and Victor Alabama, Amoeba, Amstrad, Sylvia, Form, Devil's Dance, Stoned, Sunday, Suriv 1.0, Virus-B, Virus-90, Virus-101 and Shake II - Naming after location where first found: Agiplan, Durban, Icelandic, IDF, Saratoga, Italian, Itavir, Lehigh, New Zealand, Pixel, Pretoria, South African, Suomi, Taiwan, Taiwan-2, Taiwan-3, Vienna III - name chosen because of some visual or auditory effect: 8 tunes, Ambulance, Cascade, Flip, Ping-Pong, Jo-Jo, Oropax, Yankee Doodle, Zero Bug, Den Zuk, Frodo IV - Size of virus: 405, 800, 5120, 1260, 4096 V - Activation date: Friday the 13th, July 13th, December 24th, June 16th, XA1, Advent VI - Other actions/characteristics of the virus: Bulgarian Tiny, Dbase, Do-nothing, Macho, Mistake, Perfume, Slow, Tenbyte, Tiny, Traceback, Typo, Syslock VII - no obvious/valid reason for name. VP, W13, Vcomm The question is just which method to use - they have all some advantages and disadvantages. As the same virus may be assigned different name by different people, we get situations like the following: Case 1 Case 2 Method I suriv/sumsdos Method II IDF Jerusalem Method III Frodo Black Hole Method IV 4096 1808/1813 Method V (Sept. 22) Friday the 13th Method VI Method VII PLO Other problems may arise as well. The Dyslexia virus is an example. It was originally discovered in Solano County in California and reported at first as the "Solano" virus. Later, it was discovered that the virus contained the string "Dyslexia" in encrypted form, so another name for the virus is now "Dyslexia". The question is of course whether text strings found within the virus should always be used as a "first choice" when naming viruses - Virus author would probably find it more "fun" to see their creations listed as "The Mystic virus" or "The Blood Virus", than for example "418" or "PSQR".
CSTEHLIK@SCU.BITNET (08/20/90)
I think that a standard naming convention for naming viruses is the best idea that I have heard in a long time. When there were only a few viruses, it was fine to give each a creative name, but now there are over 200 and most have several aliases. Sometimes it's difficult to be sure exactly which virus someone is talking about. Standard names would greatly simplify communication about viruses (like this list) and identifying new viruses. My personal preference would be naming them by size and then an optional extension to denote variants or special characteristics. An example is 1704-a, or 4096-stealth. However any systematic method of naming would be great. I think it's an idea which is long overdue. Chris Stehlik (no organization talking , just me)
frisk@rhi.hi.is (Fridrik Skulason) (08/25/90)
CSTEHLIK@SCU.BITNET writes: >When there were only a few viruses, it was fine to give each a creative >name, but now there are over 200 and most have several aliases. > > ..... > My personal preference would be naming them by size and then an >optional extension to denote variants or special characteristics. An >example is 1704-a, or 4096-stealth. My opinion is the exact opposite - Using the file length was OK while we only had a few viruses, but now that we have over 200, it just does not work any more, as many totally unrelated viruses may have the same length. Just take 1701 and 1704 as an example. We have 1701 - original version of Cascade, which activated in the fall of '88, - the "every year" version. - "Jo-Jo", a related, but quite different virus. - a 1701 byte variant of the "Phoenix" virus from Bulgaria. 1704 - The IBM infecting variant of Cascade. - The non-IBM infecting variant of Cascade. - The Yugoslavian "Y" variant of Cascade. - The "multiple infection" variant of Cascade. - The disk-formatting variant of Cascade. - The Bulgarian Phoenix virus. - The Phoenix-D virus. and possibly a few more which I do not remember right now. Besides, how is the virus length to be determined - just take a common virus like Jerusalem. Should it be called "1808" (EXE) or "1813" (COM) ? - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |