Appendix C. Naming of Viruses

When Dr.Web components detect a threat, the notification in the user interface and the report file contain a name of the threat sample given by the specialists of Doctor Web anti-virus laboratory. These names are formed according to certain principles and reflect a threat's design, classes of vulnerable objects, distribution environment (OS and applications), and some other features. Knowing these principles may be useful for understanding software and organizational vulnerabilities of the protected system. The full and constantly updated version of this classification is available at https://vms.drweb.com/classification/.

In certain cases this classification is conventional as some viruses can possess several features at the same time. Besides, it should not be considered exhaustive as new types of viruses constantly appear, and the classification is made more precise.

The full name of a virus consists of several elements, separated by full stops. Some elements at the beginning of the full name (prefixes) and at the end of it (suffixes) are standard for the accepted classification.

Prefixes

Affected operating systems

The prefixes listed below are used for naming viruses infecting executable files of certain operating systems:

Win—16-bit Windows 3.1 programs

Win95—32-bit Windows 95/98/Me programs

WinNT—32-bit Windows NT/2000/XP/Vista/7/8/8.1/10 programs

Win32—32-bit Windows 95/98/Me and NT/2000/XP/Vista/7/8/8.1/10 programs

Win64—64-bit Windows XP/Vista/7/8/8.1/10 programs

Win32.NET—programs in Microsoft .NET Framework operating system

OS2—OS/2 programs

Unix—programs in various Unix-based systems

Linux—Linux programs

FreeBSD—FreeBSD programs

SunOS—SunOS (Solaris) programs

Symbian—Symbian OS (mobile OS) programs

Note that some viruses can infect programs of one system even if they are designed to operate in another system.

Macrovirus prefixes

The list of prefixes for viruses which infect MS Office objects (the language of the macros infected by such type of virus is specified):

WM—Word Basic (MS Word 6.0-7.0)

XM—VBA3 (MS Excel 5.0-7.0)

W97M—VBA5 (MS Word 8.0), VBA6 (MS Word 9.0)

X97M—VBA5 (MS Excel 8.0), VBA6 (MS Excel 9.0)

A97M—databases of MS Access'97/2000

PP97M—MS PowerPoint presentations

O97M—VBA5 (MS Office'97), VBA6 (MS Office 2000); this virus infects files of more than one component of MS Office

Development languages

The HLL group is used to name viruses written in high-level programming languages, such as C, C++, Pascal, Basic, and others. To specify functioning algorithms, the following modifiers can be used:

HLLW—worms

HLLM—mail worms

HLLO—viruses overwriting the code of the victim program

HLLP—parasitic viruses

HLLC—companion viruses

The following prefix also refers to development language:

Java—viruses designed for the Java virtual machine

Trojan programs (Trojans)

Trojan—a general name for different Trojan programs (Trojans). In many cases the prefixes of this group are used with the Trojan prefix.

PWS—password stealing Trojan

Backdoor—Trojan with RAT-function (Remote Administration Tool—a utility for remote administration)

IRC—Trojan which uses Internet Relay Chat channels

DownLoader—Trojan which secretly downloads different malicious programs from the internet

MulDrop—Trojan which secretly downloads different viruses contained in its body

Proxy—Trojan which allows a third-party user to work anonymously in the internet via the infected computer

StartPage (synonym: Seeker)—Trojan which makes unauthorized replacement of the browser home page address (start page)

Click—Trojan which redirects a user’s browser to a certain website (or websites)

KeyLogger—a spyware Trojan which logs key strokes; it may send collected data to a malefactor

AVKill—terminates or deletes anti-virus programs, firewalls, etc.

KillFiles, KillDisk, DiskEraser—deletes certain files (all files on drives, files in certain directories, files by certain mask, etc.)

DelWin—deletes files vital for the operation of Windows OS

FormatC—formats drive C (synonym: FormatAll—formats all drives)

KillMBR—corrupts or deletes master boot records (MBR)

KillCMOS—corrupts or deletes CMOS memory

Tool for attacking vulnerabilities

Exploit—a tool exploiting known vulnerabilities of an OS or application to implant malicious code or perform unauthorized actions

Tools for network attacks

Nuke—tools for network attacks on known vulnerabilities of operating systems leading to abnormal shutdowns of the attacked system

DDoS—agent program for performing a DDoS attack (Distributed Denial Of Service)

FDoS (synonym: Flooder)—Flooder Denial Of Service—programs for performing malicious actions in the internet which use the idea of DDoS attacks; in contrast to DDoS, when several agents on different computers are used simultaneously to attack one victim system, an FDoS program operates as an independent “self-sufficient” program (Flooder Denial of Service).

Script viruses

Prefixes of viruses written in different scrip languages:

VBS—Visual Basic Script

JS—Java Script

Wscript—Visual Basic Script and/or Java Script

Perl—Perl

PHP—PHP

BAT—MS-DOS command interpreter

Malicious programs

Prefixes of malicious programs that are not viruses:

Adware—an advertising program

Dialer—a dialer program (redirecting modem calls to predefined paid numbers or paid resources)

Joke—a joke program

Program—a potentially dangerous program (riskware)

Tool—a program used for hacking (hacktool)

Miscellaneous

Generic—this prefix is used after another prefix describing the environment or the development method to name a typical representative of this type of viruses. Such virus does not possess any characteristic features (such as text strings, special effects, etc.) which could be used to assign it some specific name.

Silly—this prefix was used with different modifiers to name simple featureless viruses in the past.

Suffixes

Suffixes are used to name some specific virus objects:

generator—an object which is not a virus but a virus generator.

based—a virus which is developed with the help of the specified generator or a modified virus. In both cases the names of this type are generic and can define hundreds and sometimes even thousands of viruses.

dropper—an object which is not a virus but an installer of the given virus.