Worms: What's in a Name?
By Michelle Delio |
Ever since Brain,
the very first computer virus, was created in 1986, the antivirus researcher who discovers a new worm or virus is generally
given the honor of naming it.
Now, 65,000 viruses later and counting, those intrepid researchers are still managing
to come up with new monikers for malicious software.
are the ever-popular intimidating names: Blaster, Chernobyl, Code Red, Hybris, Goner, Slapper and Slammer.
these days are playful, perky names: Pretty Park, Birthday, Happy Monday, Smile, New Love and Teddy Bear.
There are the
always-in-fashion temptresses -- DeepThroat, Hooker, FunLove, Love Letter, NakedWife, Paradise -- and the ones that seem to
refer to the person who created the worm: Annoying, Brat, Coma, Faker, Glitch, SadHound, Slacker, Small, TheThing and Yo Momma.
And there are
also names that seem to make no sense at all: Gokar, Klez, Nimda, Welyah, Yaha.
A name is expected
to have some relation to the capabilities or concept behind the virus, but antivirus researchers admit that more than a few
viruses have been named in a rather whimsical fashion.
"Sometimes it's obvious what
to call a new virus because it's similar to a previous virus, or contains a message inside its code," said Chris Belthoff,
senior security analyst at antivirus firm Sophos.
"Other times analysts have
to seek inspiration -- I remember there was one which was named after the meal a virus analyst had just had."
Researchers are loosely bound
by some conventions: Viruses aren't supposed to be named after businesses or brand-name products. Using the name of a famous
person is also frowned on, which is why the Anna Kournikova virus is officially known as VBSWG.J. Common first names can
be used, but virus namers tend to avoid them as well. And no matter how peeved a virus researcher is feeling, obscene or offensive
names are verboten.
Apart from those
guidelines, researchers are free to conjure up any name they choose, so long as they do it quickly.
"Of all the tasks we need
to do when we discover a new virus, naming it is the least important, and we rarely spend more than a couple of seconds trying
to choose a name," said Alex Shipp, an antivirus technologist for MessageLabs.
Sometimes virus names make
perfect sense, once you know the story behind them. Nimda is admin, backward, for the systems administrators that F-Secure researchers figured would be driven mad by that worm.
Shipp named the
Goner virus after the attachment in which the virus arrived (gone.scr). Auric was named for gold -- the name of that virus'
Yanking a reference
from virus programming code is the most common way to come up with a name. Yaha and SirCam were both named from references
found in their code. But occasionally researchers get a bit more creative.
send a little message back to the virus writer," said Shipp. "For instance, the Klez author tried to hide his code by encoding
parts of the virus. We named the virus Klez after a sequence of letters in the encoding key -- kind of a 'we know what you
are doing' statement."
infinite opportunities for interesting names. Its first versions contained this message, visible only during an analysis of
its code: "I'm sorry to do this but it's helpless to say sorry. I want a good job. I must support my parents. Now you have
seen my technical capabilities. How much is my year's salary now? No more than $5,500. What do you think of this fact? Don't
call me names, I have no hostility. Can you help me?"
Then again, the
"Don'tcallmenames" worm doesn't have quite the same nicely ominous ring that Klez does.
As many have suspected, occasionally antivirus researchers are simply amusing themselves by giving odd names
Code Red was
named after an eEye Digital Security researcher's favorite beverage, breaking the brand-name rule.
Researcher George Smith named one virus after a childhood memory -- "Heevahava."
Heevahava was made with a
virus-creation kit that researchers shunned as a shoddy piece of work.
"I grew up in
Pennsylvania Dutch country, and a heevahava was the farmhand given the job of holding the bull's pizzle during the collection
of semen," explained Smith. "Locally, heevahava was used as an insult meaning 'dolt' or 'idiot.'"
names can even turn out to be prophetic.
Sobig was the very first virus MessageLab researcher Marcello Gentilcore
named. He named it after the "firstname.lastname@example.org" in the spoofed e-mail address the first version of the virus used.
As it turned out, SoBig.F
recently became the biggest virus ever, at least in terms of the amount of e-mail it generated.
And yes, there
are times when researchers just can't think up a good name.
Shipp said MessageLabs
named the Avril Lavigne virus Naith (NAme Is THis). But Naith was eschewed by the other antivirus companies in favor of Lirva
(Avril backward), which Shipp said he "would cynically guess is a name much more likely to get press coverage than Naith."
"You do feel
a bit sad when a worthwhile name is passed over for something else, but in this particular case we don't really mind, since
the name was essentially meaningless anyway," Shipp said.
Smith believes that researchers
do care when the names they come up with don't stick. But he thinks that researchers probably cared more in the '80s and early
'90s when discovering a virus also meant the researcher got to write a long technical dissection for publications aimed at
their peers, such as the Virus Bulletin and Secure Computing.
The last virus
that caused a real naming tussle, according to Smith, was Michelangelo in 1992.
"It was called
Ninja Turtle by researchers in Taiwan, who later took umbrage to the name Michelangelo, claiming with some merit that they
had categorized the virus before it was seized upon in the West," Smith recalls.
"But the Ninja
Turtle name wound up bulldozed by Michelangelo, anyway."
When several antivirus researchers
analyze a virus at the same time, naming chaos can ensue. One Blaster variant was recently and simultaneously named WORM_MSBLAST.D, Nachi and Welchia by various security firms.
have suggested there should be a committee who sits down and decides what the virus' name should be before we issue protection
against it. They say this will reduce confusion," said Sophos' Belthoff. "But we figure that most people care only about stopping
the virus, not if we're using different or slightly weird names."
Shipp said that
MessageLab researchers have occasionally been challenged by their co-workers to give viruses a specific oddball name.
"Of course you
cannot just give the next virus to come along some random strange name; it has to be appropriate in some way," said Shipp.
"So we have a pool of waiting names that we do manage to fit in every so often.
do like to have a bit of fun when naming viruses," admitted Shipp.
"Of course, there
are some who think that if naming viruses is our idea of fun then perhaps we really should get out more."