Appendix C. Naming of Viruses

When Dr.Web components detect a threat, the notification in the user interface and the report file contain a name of the threat sample given by the specialists of Doctor Web anti-virus laboratory. These names are formed according to certain principles and reflect a threat's design, classes of vulnerable objects, distribution environment (OS and applications), and some other features. Knowing these principles may be useful for understanding software and organizational vulnerabilities of the protected system. The full and constantly updated version of this classification is available at https://vms.drweb.com/classification/.

In certain cases this classification is conventional as some threats can possess several features at the same time. Besides, it should not be considered exhaustive as new types of threats constantly appear, and the classification is made more precise.

The full name of a threat consists of several elements, separated by full stops. Some elements at the beginning of the full name (prefixes) and at the end of it (suffixes) are standard for the accepted classification.

Prefixes

Affected operating systems

The prefixes listed below are used for naming malicious programs infecting executable files of certain operating systems:

•Win—16-bit Windows 3.1 programs

•Win95—32-bit Windows 95/98/Me programs

•WinNT—32-bit Windows NT/2000/XP/Vista/7/8/8.1/10 programs

•Win32—32-bit Windows 95/98/Me and NT/2000/XP/Vista/7/8/8.1/10 programs

•Win64—64-bit Windows XP/Vista/7/8/8.1/10/11 programs

•Win32.NET—programs in Microsoft .NET Framework operating system

•OS2—OS/2 programs

•Unix—programs in various Unix-based systems

•Linux—Linux programs

•FreeBSD—FreeBSD programs

•SunOS—SunOS (Solaris) programs

•Symbian—Symbian OS (mobile OS) programs

Note that some malicious programs can infect programs of one system even if they are designed to operate in another system.

Macrovirus prefixes

The list of prefixes for viruses which infect MS Office objects (the language of the macros infected by such type of virus is specified):

•WM—Word Basic (MS Word 6.0-7.0)

•XM—VBA3 (MS Excel 5.0-7.0)

•W97M—VBA5 (MS Word 8.0), VBA6 (MS Word 9.0)

•X97M—VBA5 (MS Excel 8.0), VBA6 (MS Excel 9.0)

•A97M—databases of MS Access'97/2000

•PP97M—MS PowerPoint presentations

•O97M—VBA5 (MS Office'97), VBA6 (MS Office 2000); this virus infects files of more than one component of MS Office

Development languages

The HLL group is used to name threats written in high-level programming languages, such as C, C++, Pascal, Basic, and others. To specify functioning algorithms, the following modifiers can be used:

•HLLW—worms

•HLLM—mail worms

•HLLO—malicious programs overwriting the code of the victim program

•HLLP—parasitic viruses

•HLLC—companion viruses

The following prefix also refers to development language:

•Java—threats designed for the Java virtual machine

Trojan programs (Trojans)

Trojan—a general name for different Trojan programs (Trojans). In many cases the prefixes of this group are used with the Trojan prefix.

•PWS—password stealing Trojan

•Backdoor—Trojan with RAT-function (Remote Administration Tool—a utility for remote administration)

•IRC—Trojan which uses Internet Relay Chat channels

•DownLoader—Trojan which secretly downloads different malicious programs from the internet

•MulDrop—Trojan which secretly downloads different malicious files contained in its body

•Proxy—Trojan which allows a third-party user to work anonymously in the internet via the infected computer

•StartPage (synonym: Seeker)—Trojan which makes unauthorized replacement of the browser home page address (start page)

•Click—Trojan which redirects a user’s browser to a certain website (or websites)

•KeyLogger—a spyware Trojan which logs key strokes; it may send collected data to a malefactor

•AVKill—terminates or deletes anti-virus programs, firewalls, etc.

•KillFiles, KillDisk, DiskEraser—deletes certain files (all files on drives, files in certain directories, files by certain mask, etc.)

•DelWin—deletes files vital for the operation of Windows OS

•FormatC—formats drive C (synonym: FormatAll—formats all drives)

•KillMBR—corrupts or deletes master boot records (MBR)

•KillCMOS—corrupts or deletes CMOS memory

Tool for attacking vulnerabilities

•Exploit—a tool exploiting known vulnerabilities of an OS or application to implant a malicious program or perform unauthorized actions

Tools for network attacks

•Nuke—tools for network attacks on known vulnerabilities of operating systems leading to abnormal shutdowns of the attacked system

•DDoS—agent program for performing a DDoS attack (Distributed Denial Of Service)

•FDoS (synonym: Flooder)—Flooder Denial Of Service—programs for performing malicious actions in the internet which use the idea of DDoS attacks; in contrast to DDoS, when several agents on different computers are used simultaneously to attack one victim system, an FDoS program operates as an independent “self-sufficient” program (Flooder Denial of Service).

Script threats

Prefixes of threats written in different scrip languages:

•VBS—Visual Basic Script

•JS—Java Script

•Wscript—Visual Basic Script and/or Java Script

•Perl—Perl

•PHP—PHP

•BAT—MS-DOS command interpreter

Malicious programs

Prefixes of malicious programs that are not viruses:

•Adware—an advertising program

•Dialer—a dialer program (redirecting modem calls to predefined paid numbers or paid resources)

•Joke—a joke program

•Program—a potentially dangerous program (riskware)

•Tool—a program used for hacking (hacktool)

Miscellaneous

Generic—this prefix is used after another prefix describing the environment or the development method to name a typical representative of this type of threats. Such threat does not possess any characteristic features (such as text strings, special effects, etc.) which could be used to assign it some specific name.

Silly—this prefix was used with different modifiers to name simple featureless viruses in the past.

Suffixes

Suffixes are used to name some specific malicious objects:

•generator—an object which is not a virus but a virus generator.

•based—a malicious object which is developed with the help of the specified generator or a modified threat. In both cases the names of this type are generic and can define hundreds and sometimes even thousands of threats.

•dropper—an object which is not a virus but a container of the given virus.