frisk@rhi.hi.is (Fridrik Skulason) (08/16/90)
It seems to me that we may soon be reaching the point where the number
of virus-infected machines will start to decline, while the number of
new viruses will grow as it has until now, doubling every 10 months or
so. I don't know if everybody agrees with this, but what I was
actually going to write about now is another subject - the naming of
all the new viruses.
How are virus names names selected ?
This is becoming a problem in the PC world, where over 200 different
virus variants are now known. The situation is not quite as bad in the
Mac-world, where only 10 (or so) viruses are known, but this is a
serious problem for anyone reporting a new virus.
The possible methods include:
I - naming by the virus author. Many viruses contain text strings
within the code, which contain messages like "The Blood virus, version
1.02", or the name may be taken from other text strings within the
virus:
Aids, Aids II, Anarkia, Armagedon, Blood, Brain, Datacrime, Datacrime
II, Disk Killer, Dyslexia, Fu Manchu, GhostBalls, Halloechen, Kennedy,
MIX1, Murphy and Victor Alabama, Amoeba, Amstrad, Sylvia, Form,
Devil's Dance, Stoned, Sunday, Suriv 1.0, Virus-B, Virus-90, Virus-101
and Shake
II - Naming after location where first found:
Agiplan, Durban, Icelandic, IDF, Saratoga, Italian, Itavir, Lehigh,
New Zealand, Pixel, Pretoria, South African, Suomi, Taiwan, Taiwan-2,
Taiwan-3, Vienna
III - name chosen because of some visual or auditory effect:
8 tunes, Ambulance, Cascade, Flip, Ping-Pong, Jo-Jo, Oropax, Yankee
Doodle, Zero Bug, Den Zuk, Frodo
IV - Size of virus:
405, 800, 5120, 1260, 4096
V - Activation date:
Friday the 13th, July 13th, December 24th, June 16th, XA1, Advent
VI - Other actions/characteristics of the virus:
Bulgarian Tiny, Dbase, Do-nothing, Macho, Mistake, Perfume, Slow,
Tenbyte, Tiny, Traceback, Typo, Syslock
VII - no obvious/valid reason for name.
VP, W13, Vcomm
The question is just which method to use - they have all some
advantages and disadvantages. As the same virus may be assigned
different name by different people, we get situations like the
following:
Case 1 Case 2
Method I suriv/sumsdos
Method II IDF Jerusalem
Method III Frodo Black Hole
Method IV 4096 1808/1813
Method V (Sept. 22) Friday the 13th
Method VI
Method VII PLO
Other problems may arise as well. The Dyslexia virus is an example.
It was originally discovered in Solano County in California and
reported at first as the "Solano" virus. Later, it was discovered
that the virus contained the string "Dyslexia" in encrypted form, so
another name for the virus is now "Dyslexia".
The question is of course whether text strings found within the virus
should always be used as a "first choice" when naming viruses - Virus
author would probably find it more "fun" to see their creations listed
as "The Mystic virus" or "The Blood Virus", than for example "418" or
"PSQR".CSTEHLIK@SCU.BITNET (08/20/90)
I think that a standard naming convention for naming viruses is the best idea that I have heard in a long time. When there were only a few viruses, it was fine to give each a creative name, but now there are over 200 and most have several aliases. Sometimes it's difficult to be sure exactly which virus someone is talking about. Standard names would greatly simplify communication about viruses (like this list) and identifying new viruses. My personal preference would be naming them by size and then an optional extension to denote variants or special characteristics. An example is 1704-a, or 4096-stealth. However any systematic method of naming would be great. I think it's an idea which is long overdue. Chris Stehlik (no organization talking , just me)
frisk@rhi.hi.is (Fridrik Skulason) (08/25/90)
CSTEHLIK@SCU.BITNET writes: >When there were only a few viruses, it was fine to give each a creative >name, but now there are over 200 and most have several aliases. > > ..... > My personal preference would be naming them by size and then an >optional extension to denote variants or special characteristics. An >example is 1704-a, or 4096-stealth. My opinion is the exact opposite - Using the file length was OK while we only had a few viruses, but now that we have over 200, it just does not work any more, as many totally unrelated viruses may have the same length. Just take 1701 and 1704 as an example. We have 1701 - original version of Cascade, which activated in the fall of '88, - the "every year" version. - "Jo-Jo", a related, but quite different virus. - a 1701 byte variant of the "Phoenix" virus from Bulgaria. 1704 - The IBM infecting variant of Cascade. - The non-IBM infecting variant of Cascade. - The Yugoslavian "Y" variant of Cascade. - The "multiple infection" variant of Cascade. - The disk-formatting variant of Cascade. - The Bulgarian Phoenix virus. - The Phoenix-D virus. and possibly a few more which I do not remember right now. Besides, how is the virus length to be determined - just take a common virus like Jerusalem. Should it be called "1808" (EXE) or "1813" (COM) ? - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |