Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!cs.widener.edu!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) Newsgroups: comp.virus Subject: Re: Virus naming Message-ID: <0001.9103281641.AA28811@ubu.cert.sei.cmu.edu> Date: 26 Mar 91 21:52:00 GMT Sender: Virus Discussion List Lines: 68 Approved: krvw@sei.cmu.edu CHESS@YKTVMV.BITNET (David.M.Chess) writes: > The trouble with hash codes, or dates, or anything else semi-automatic > is that, when there get to be enough of them, the names start to > become useless. At IBM, we tried to use number-names whenever > possible early on, but the disadvantages became apparent after not too > long. If there's a 453 and a 435 virus, for instance, it's Real Hard > to remember which is which! I agree, but there are two reasons for a virus name: (1) To indicate in "human-friendly" terms roughly what it is, and (2) To positively identify which virus it is. In the first case, you usually aren't concerned if it is a slight modification of a well known virus (so long as it does the same things), and it is nice if there are just a few, easily pronounced names to remember. To start with, that is what we had. Now, the system is breaking down because there are so many, often minor modifications, and a lack of communication or standardisation by anti-virus workers. Having a lot of easy-to-remember but incorrectly applied virus names is worse than useless. Hence my suggestion for a change. Ideally, there should be a method of identification, given nothing but the virus itself. So if people over the other side of the world also find the same virus, you can definately say "yes, this is the same virus" without having to send a copy of the whole thing. It would be nice if such a method for positive identification also helped with an easily remembered name as well. Well, that is possible (e.g. with my CHECKOUT program), and it partly involves the "family plus number" method you mentioned. This is how it works... You create a hashcode that consists of two parts (see my BOOTID program), one part has bit-flags that identify certain good and bad things the boot code is doing. Similar viruses get similar codes here. If you can't be bothered working out what this part of the code means, the CHECKOUT program has an option that explains it all in English. The other part of the code is a seemingly-random code derived from the bytes in the boot sector. Two viruses that are similar but slightly different will get totally different codes, so this part is of little use to us humans. But the total code can be used to look up a list of known good and bad boot sectors. This would have a "popular name", that hopefully is assigned carefully, perhaps by one person or organisation. So, if it is a known virus, you get two things, the hashcode plus a sensible name. If it isn't in the list of known viruses, you just get a hashcode, the last 3 characters of which I, at least, find easy to identify the basic type of virus from at first glance. Now, this hasn't been extended to other types of virus yet, but I have a plan in mind, which puts more emphasis on what the virus does, and less on the code it uses to get there, but it is still determined only from the contents of the virus, rather than some obscure historical fact that gave it a name. As I have said, there is still a place for "family" or "generic" names for viruses, *but* it should be a lot more organised than at present, otherwise there will be more and more cases of confusion - which can be dangerous since some variations of some viruses have to be handled very differently. By the way, BOOTID and CHECKOUT are both free from cantva.canterbury.ac.nz, 132.181.30.3, in the pc subdirectory. There will be a new version released within the next week, with better analysis facilities in the CHECKOUT program, and a slight change to hashcodes produced by both programs, to allow for some types of good (e.g. "virus-immune") disks that gave "worrying" results. Keep sending suggestions, though! Mark Aitchison, Physics, University of Canterbury, New Zealand.