Appendix C. Naming of Viruses

When Dr.Web components detect a threat, the notification in the user interface and the report file contain a name of the threat sample given by the specialists of Doctor Web anti-virus laboratory. These names are formed according to certain principles and reflect a threat's design, classes of vulnerable objects, distribution environment (OS and applications), and some other features. Knowing these principles may be useful for understanding software and organizational vulnerabilities of the protected system. The full and constantly updated version of this classification is available at https://vms.drweb.com/classification/.

In certain cases this classification is conventional as some viruses can possess several features at the same time. Besides, it should not be considered exhaustive as new types of viruses constantly appear, and the classification is made more precise.

The full name of a virus consists of several elements, separated by full stops. Some elements at the beginning of the full name (prefixes) and at the end of it (suffixes) are standard for the accepted classification.

Prefixes

Affected operating systems

The prefixes listed below are used for naming viruses infecting executable files of certain operating systems:

•Win—16-bit Windows 3.1 programs

•Win95—32-bit Windows 95/98/Me programs

•WinNT—32-bit Windows NT/2000/XP/Vista/7/8/8.1/10 programs

•Win32—32-bit Windows 95/98/Me and NT/2000/XP/Vista/7/8/8.1/10 programs

•Win64—64-bit Windows XP/Vista/7/8/8.1/10/11 programs

•Win32.NET—programs in Microsoft .NET Framework operating system

•OS2—OS/2 programs

•Unix—programs in various Unix-based systems

•Linux—Linux programs

•FreeBSD—FreeBSD programs

•SunOS—SunOS (Solaris) programs

•Symbian—Symbian OS (mobile OS) programs

Note that some viruses can infect programs of one system even if they are designed to operate in another system.

Macrovirus prefixes

The list of prefixes for viruses which infect MS Office objects (the language of the macros infected by such type of virus is specified):

•WM—Word Basic (MS Word 6.0-7.0)

•XM—VBA3 (MS Excel 5.0-7.0)

•W97M—VBA5 (MS Word 8.0), VBA6 (MS Word 9.0)

•X97M—VBA5 (MS Excel 8.0), VBA6 (MS Excel 9.0)

•A97M—databases of MS Access'97/2000

•PP97M—MS PowerPoint presentations

•O97M—VBA5 (MS Office'97), VBA6 (MS Office 2000); this virus infects files of more than one component of MS Office

Development languages

The HLL group is used to name viruses written in high-level programming languages, such as C, C++, Pascal, Basic, and others. To specify functioning algorithms, the following modifiers can be used:

•HLLW—worms

•HLLM—mail worms

•HLLO—viruses overwriting the code of the victim program

•HLLP—parasitic viruses

•HLLC—companion viruses

The following prefix also refers to development language:

•Java—viruses designed for the Java virtual machine

Trojan programs (Trojans)

Trojan—a general name for different Trojan programs (Trojans). In many cases the prefixes of this group are used with the Trojan prefix.

•PWS—password stealing Trojan

•Backdoor—Trojan with RAT-function (Remote Administration Tool—a utility for remote administration)

•IRC—Trojan which uses Internet Relay Chat channels

•DownLoader—Trojan which secretly downloads different malicious programs from the internet

•MulDrop—Trojan which secretly downloads different viruses contained in its body

•Proxy—Trojan which allows a third-party user to work anonymously in the internet via the infected computer

•StartPage (synonym: Seeker)—Trojan which makes unauthorized replacement of the browser home page address (start page)

•Click—Trojan which redirects a user’s browser to a certain website (or websites)

•KeyLogger—a spyware Trojan which logs key strokes; it may send collected data to a malefactor

•AVKill—terminates or deletes anti-virus programs, firewalls, etc.

•KillFiles, KillDisk, DiskEraser—deletes certain files (all files on drives, files in certain directories, files by certain mask, etc.)

•DelWin—deletes files vital for the operation of Windows OS

•FormatC—formats drive C (synonym: FormatAll—formats all drives)

•KillMBR—corrupts or deletes master boot records (MBR)

•KillCMOS—corrupts or deletes CMOS memory

Tool for attacking vulnerabilities

•Exploit—a tool exploiting known vulnerabilities of an OS or application to implant malicious code or perform unauthorized actions

Tools for network attacks

•Nuke—tools for network attacks on known vulnerabilities of operating systems leading to abnormal shutdowns of the attacked system

•DDoS—agent program for performing a DDoS attack (Distributed Denial Of Service)

•FDoS (synonym: Flooder)—Flooder Denial Of Service—programs for performing malicious actions in the internet which use the idea of DDoS attacks; in contrast to DDoS, when several agents on different computers are used simultaneously to attack one victim system, an FDoS program operates as an independent “self-sufficient” program (Flooder Denial of Service).

Script viruses

Prefixes of viruses written in different scrip languages:

•VBS—Visual Basic Script

•JS—Java Script

•Wscript—Visual Basic Script and/or Java Script

•Perl—Perl

•PHP—PHP

•BAT—MS-DOS command interpreter

Malicious programs

Prefixes of malicious programs that are not viruses:

•Adware—an advertising program

•Dialer—a dialer program (redirecting modem calls to predefined paid numbers or paid resources)

•Joke—a joke program

•Program—a potentially dangerous program (riskware)

•Tool—a program used for hacking (hacktool)

Miscellaneous

Generic—this prefix is used after another prefix describing the environment or the development method to name a typical representative of this type of viruses. Such virus does not possess any characteristic features (such as text strings, special effects, etc.) which could be used to assign it some specific name.

Silly—this prefix was used with different modifiers to name simple featureless viruses in the past.

Suffixes

Suffixes are used to name some specific virus objects:

•generator—an object which is not a virus but a virus generator.

•based—a virus which is developed with the help of the specified generator or a modified virus. In both cases the names of this type are generic and can define hundreds and sometimes even thousands of viruses.

•dropper—an object which is not a virus but an installer of the given virus.