WebCrime

WHAT'S IN A NAME
Home
THE PROFIT MOTIVE: MyDoom Redux:
MALICIOUS CODE
HORROR STORIES
SPYWARE
SPOOFING
ANTHRAX
VIRUSES BY OTHER NAMES
PROGRAMMING VIA BIOLOGICAL ENGINEERING TECHNIQUES
MYDOOM
WORMS
KEYLOGGER
SPYWARE
HYBRIDS
ANTHRAX ON THE INTERNET
ANTHRAX CHATTER
CELLPHONE VIRUS CHATTER
VIRUS CHATTER
ANTHRAX CHATTER
MICROSOFT CHATTER
"link=bacillus"
MSBLASTER
PHISHING
SWEN
FIREWALLS
TERMS GLOSSARY
MALICIOUS SCRIPTS: THE STATE OF THE ART DELIVERY METHOD
RESOURCES: FIGHTING BACK - FREE UTILITIES
CODE RED
WHAT'S IN A NAME
MICROSOFT
NIMDA
ANTHRAX-NIMDA CONNECTION
SCRIPT KIDDIES VRS ENGINEERS
THE UNLIKELY LADDS
VIRUS ALLERTS
IDENTITY THEFT
HEADS OFF
HEADSUP

WORM_MIMAIL.R:

This worm virus has been renamed to
WORM_MYDOOM.A.
 

 

W32/Mydoom@MM - also called Novarg, Shimg, and Mimail.R


 

 
 
 

 

 

 

 

Viruses, Worms: What's in a Name? 

By Michelle Delio   |  

02:00 AM Sep. 04, 2003 PT

Ever since Brain, the very first computer virus, was created in 1986, the antivirus researcher who discovers a new worm or virus is generally given the honor of naming it.

Now, 65,000 viruses later and counting, those intrepid researchers are still managing to come up with new monikers for malicious software.

There are the ever-popular intimidating names: Blaster, Chernobyl, Code Red, Hybris, Goner, Slapper and Slammer.

Less popular these days are playful, perky names: Pretty Park, Birthday, Happy Monday, Smile, New Love and Teddy Bear.

There are the always-in-fashion temptresses -- DeepThroat, Hooker, FunLove, Love Letter, NakedWife, Paradise -- and the ones that seem to refer to the person who created the worm: Annoying, Brat, Coma, Faker, Glitch, SadHound, Slacker, Small, TheThing and Yo Momma.

And there are also names that seem to make no sense at all: Gokar, Klez, Nimda, Welyah, Yaha.

A name is expected to have some relation to the capabilities or concept behind the virus, but antivirus researchers admit that more than a few viruses have been named in a rather whimsical fashion.

"Sometimes it's obvious what to call a new virus because it's similar to a previous virus, or contains a message inside its code," said Chris Belthoff, senior security analyst at antivirus firm Sophos.

"Other times analysts have to seek inspiration -- I remember there was one which was named after the meal a virus analyst had just had."

Researchers are loosely bound by some conventions: Viruses aren't supposed to be named after businesses or brand-name products. Using the name of a famous person is also frowned on, which is why the Anna Kournikova virus is officially known as VBSWG.J. Common first names can be used, but virus namers tend to avoid them as well. And no matter how peeved a virus researcher is feeling, obscene or offensive names are verboten.

Apart from those guidelines, researchers are free to conjure up any name they choose, so long as they do it quickly.

"Of all the tasks we need to do when we discover a new virus, naming it is the least important, and we rarely spend more than a couple of seconds trying to choose a name," said Alex Shipp, an antivirus technologist for MessageLabs.

Sometimes virus names make perfect sense, once you know the story behind them. Nimda is admin, backward, for the systems administrators that F-Secure researchers figured would be driven mad by that worm.

Shipp named the Goner virus after the attachment in which the virus arrived (gone.scr). Auric was named for gold -- the name of that virus' attachment.

Yanking a reference from virus programming code is the most common way to come up with a name. Yaha and SirCam were both named from references found in their code. But occasionally researchers get a bit more creative.

"Sometimes we send a little message back to the virus writer," said Shipp. "For instance, the Klez author tried to hide his code by encoding parts of the virus. We named the virus Klez after a sequence of letters in the encoding key -- kind of a 'we know what you are doing' statement."

Klez provided infinite opportunities for interesting names. Its first versions contained this message, visible only during an analysis of its code: "I'm sorry to do this but it's helpless to say sorry. I want a good job. I must support my parents. Now you have seen my technical capabilities. How much is my year's salary now? No more than $5,500. What do you think of this fact? Don't call me names, I have no hostility. Can you help me?"

Then again, the "Don'tcallmenames" worm doesn't have quite the same nicely ominous ring that Klez does.

 

As many have suspected, occasionally antivirus researchers are simply amusing themselves by giving odd names to viruses.

Code Red was named after an eEye Digital Security researcher's favorite beverage, breaking the brand-name rule.

Researcher George Smith named one virus after a childhood memory -- "Heevahava."

Heevahava was made with a virus-creation kit that researchers shunned as a shoddy piece of work.

"I grew up in Pennsylvania Dutch country, and a heevahava was the farmhand given the job of holding the bull's pizzle during the collection of semen," explained Smith. "Locally, heevahava was used as an insult meaning 'dolt' or 'idiot.'"

Sometimes virus names can even turn out to be prophetic.

Sobig was the very first virus MessageLab researcher Marcello Gentilcore named. He named it after the "big@boss.com" in the spoofed e-mail address the first version of the virus used.

As it turned out, SoBig.F recently became the biggest virus ever, at least in terms of the amount of e-mail it generated.

And yes, there are times when researchers just can't think up a good name.

Shipp said MessageLabs named the Avril Lavigne virus Naith (NAme Is THis). But Naith was eschewed by the other antivirus companies in favor of Lirva (Avril backward), which Shipp said he "would cynically guess is a name much more likely to get press coverage than Naith."

"You do feel a bit sad when a worthwhile name is passed over for something else, but in this particular case we don't really mind, since the name was essentially meaningless anyway," Shipp said.

Smith believes that researchers do care when the names they come up with don't stick. But he thinks that researchers probably cared more in the '80s and early '90s when discovering a virus also meant the researcher got to write a long technical dissection for publications aimed at their peers, such as the Virus Bulletin and Secure Computing.

The last virus that caused a real naming tussle, according to Smith, was Michelangelo in 1992.

"It was called Ninja Turtle by researchers in Taiwan, who later took umbrage to the name Michelangelo, claiming with some merit that they had categorized the virus before it was seized upon in the West," Smith recalls.

"But the Ninja Turtle name wound up bulldozed by Michelangelo, anyway."

When several antivirus researchers analyze a virus at the same time, naming chaos can ensue. One Blaster variant was recently and simultaneously named WORM_MSBLAST.D, Nachi and Welchia by various security firms.

"Some people have suggested there should be a committee who sits down and decides what the virus' name should be before we issue protection against it. They say this will reduce confusion," said Sophos' Belthoff. "But we figure that most people care only about stopping the virus, not if we're using different or slightly weird names."

Shipp said that MessageLab researchers have occasionally been challenged by their co-workers to give viruses a specific oddball name.

"Of course you cannot just give the next virus to come along some random strange name; it has to be appropriate in some way," said Shipp. "So we have a pool of waiting names that we do manage to fit in every so often.

"Sometimes we do like to have a bit of fun when naming viruses," admitted Shipp.

"Of course, there are some who think that if naming viruses is our idea of fun then perhaps we really should get out more."

 

 

http://www.wired.com/news/infostructure/0,1377,60281,00.html

MYDOOM

 

It was nearly 4 p.m. last Monday when the first suspicious-looking email popped up on Richard Wang’s computer screen. Ten minutes later, a similar message arrived with the familiar “error” subject line and an icon indicating an attachment. The next arrived two minutes later. As a virus researcher at security firm Sophos’s new anti-virus lab in Massachusetts, Wang sorts through a lot of suspect email each day—most of it forwarded by customers or other security firms to be examined.  “But once you see three or four of these in that short a time period, you start to think this is going to be something big,” he says. By the time the fourth email arrived, Wang remembers thinking, “I’m going to be late for dinner tonight.”

Meanwhile, on the West Coast, his counterpart at McAfee Avert, Craig Schmugar, was seeing two to four new suspicious-looking emails every time he refreshed his screen. “There was a sudden rush in emails we had never seen before,” says Schmugar, who is credited with co-discovering the virus. He named it MyDoom after spotting a line of text that included “mydom” (short for “my domain") in the virus code. “ It was evident early on that this would be very big,” he says. “I thought having `doom’ in the name would be appropriate.”

 

Oh, really?

HOME

HOME