Naming of viruses
A computer virus often has multiple names. When people discuss virus protection, they often have to figure out whether they are talking about the same virus. For example, the aliases of 1701 virus include leaf falling virus, teardrop virus, 1704 virus, raindrop virus, cold virus, etc. Raindrop virus is also called Flu virus and JOJO virus abroad. Hong Kong virus is also known as blockade virus, non-printing virus, Blockade virus and port virus. So the resulting statistics are sometimes biased. At present, there is no unified international standard to coordinate and guide naming work in this area. Each anti-virus software also has different names for viruses. Sometimes different software will give different names to the same virus. For example, the "SPY" virus is named SPY by KILL and "TPVO-3783" by KV300. Common methods of naming viruses are as follows:
1. Naming according to the time of virus onset. This naming depends on the time when the virus manifests or damages the system. The manifestation or damage part of this type of virus is generally timed. Bombs, such as "Black Friday", are named because the virus destroys files executed when the 13th of a certain month falls on a Friday; another example is the "Michel" virus, whose onset time is March 6, and March September 6th is the birthday of the world-famous artist Michelangelo, hence the name "Michelangelo" virus (referred to as "Michel" virus).
2. Name according to the symptoms of the virus attack. Named after the symptoms of the virus attack. For example, the "ball" virus is caused by the small balls that appear on the screen when the virus attacks. Another example is the "Torch" virus, which is named because five flashing torches appear on the screen when the virus attacks; another example is the Yankee virus, which is named because it will play Yankee Doodle music when it is activated. Yankee virus.
3. Name according to the logo contained in the virus itself. Name it according to the string that appears in the virus, virus logo, storage location or virus publication
The current name announced by the virus itself, such as " The "Marijuana" virus contains the words Marijunana and Stoned, so people named the virus Marijunana (translated as "marijuana") and Stoned virus; another example is the "Liberty" virus because the virus contains this logo; another example is "DiskKiller" The virus calls itself DiskKiller (disk killer). The CIH virus was named by Dr. Liu Weilin because the first name of the virus program is "CIH".
4. Name the virus according to the place where it was first discovered. For example, "Black Friday" is also called
Jurusalem (Jerusalem) virus because the virus was first discovered in Jurusalem. Discovered; another example is the Vienna (Vienna) disease
The virus was first discovered in Vienna. 5. Name according to the byte length of the virus. Name it according to the increased length of the file when the virus infects the file or the length of the virus's own code, such as 1575, 2153, 1701, 1704, 1514, 4096, etc.
AVPD, an anti-virus product developer group in the United States, is coordinating the collection, identification and naming of computer viruses and the development of anti-virus products among its member units. When people do not see an exact description of a virus and a recognized name for it, people will base their judgment on the virus's working mechanism, manifestation, contained ASCII string, code length of the virus program, date or time of onset, the It is named based on the place where the virus was discovered, the model of machine attacked by the virus, the sound or graphics displayed by the performance module in the virus, and various characteristics that the discoverer of the virus could experience at the time. The 1701 and Hong Kong viruses listed earlier fall into this category.
The purpose of naming a new computer virus is to enable people to quickly and accurately identify the virus for prevention, diagnosis and treatment. Therefore, the naming should best reflect the characteristics of the virus so that it is not easily confused with other existing computer viruses.
Computer viruses are now a major nuisance to computer users, and the losses and damage they cause are difficult to estimate. And some pranksters, some vindictive programmers, some saboteurs and some virus writers for political purposes, economic interests and military purposes are still creating various computer viruses. Some viruses are simply variants of a previous virus. Some people use various means such as disassembly to modify the internal modules of the original virus, such as the expression module, destruction module, infection module, etc., to make it a new computer virus that is based on the original virus but different from the original virus. This is a variant of a computer virus. Some virus variants simply change the display information of the original virus, leaving important codes such as the infection module untouched. In other variants, after modifying some important codes, the virus works with a new mechanism. At this time, this variant has evolved into a new virus and can no longer be called a variant of its prototype virus. Viruses in the biological world are evolving in almost the same way. One virus may derive several virus strains with the same basic characteristics, becoming a virus family. When a mutation occurs, it is difficult to take appropriate countermeasures for a new virus that has not been exposed to before careful research and testing. People also encounter similar problems with computer viruses. How to accurately capture new viruses that cannot be identified by common software, as well as analyze and study its working mechanism and characteristics, requires specialized knowledge. Without analyzing its infection mechanism, it is impossible to develop tools and software to prevent and eliminate viruses.
Many times, people have used anti-virus software to detect viruses on their machines, such as Backdoor. At that time, some people were confused. How could they know what kind of virus it was with such a long name?
In fact, as long as you master some virus naming rules, you can judge some of the public characteristics of the virus through the virus name that appears in the report of the anti-virus software.
There are so many viruses in the world. In order to facilitate management, anti-virus companies will classify and name viruses according to their characteristics. Although the naming rules of each anti-virus company are different, they generally adopt a unified naming method.
The general format is:
The virus prefix refers to the type of virus, which is used to distinguish the racial classification of the virus. Different types of viruses have different prefixes. For example, the prefix of common Trojan viruses is Trojan, the prefix of worm viruses is Worm, and others.
The virus name refers to the family characteristics of a virus and is used to distinguish and identify virus families. For example, the family names of the famous CIH viruses in the past were all unified "CIH", and there has been a recent uproar. The family name of Huan's oscillating wave worm is "Sasser".
The virus suffix refers to the variant characteristics of a virus and is used to distinguish a certain variant of a specific family of viruses. It is generally represented by 26 letters in English. For example, Worm.Sasser.b refers to the variant B of the oscillating wave worm virus, so it is generally called "oscillating wave variant B" or "oscillating wave variant B". If there are many variants of the virus (which also indicates that the virus is tenacious^_^), a mixture of numbers and letters can be used to represent the variant identification.
In summary, the prefix of a virus is very helpful in quickly determining what type of virus it belongs to. By judging the type of virus, you can have a rough assessment of the virus (of course this requires accumulating knowledge about common virus types, which is beyond the scope of this article). Through the virus name, you can use search information and other methods to further understand the detailed characteristics of the virus. The virus suffix can tell you which variant of the virus is currently in your machine.
Below are explanations of some common virus prefixes (for the most commonly used Windows operating system):
1. System virus
The prefix of system virus is : Win32, PE, Win95, W32, W95, etc.
The general public characteristic of these viruses is that they can infect *.exe and *.dll files of the Windows operating system and spread through these files. Such as CIH virus.
2. Worm virus
The prefix of worm virus is: Worm. The common characteristic of this virus is that it spreads through network or system vulnerabilities. Most worms have the characteristic of sending out poisonous emails and blocking the network. For example, shock wave (blocking the network), little postman (sending poisonous emails), etc.
3. Trojan virus, hacker virus
The prefix of Trojan virus is: Trojan, and the prefix of hacker virus is generally Hack. The public characteristic of Trojan viruses is to enter the user's system through network or system vulnerabilities, hide them, and then leak the user's information to the outside world, while hacker viruses have a visual interface that can remotely control the user's computer. Trojan horses and hacker viruses often appear in pairs, that is, the Trojan horse virus is responsible for invading the user's computer, and the hacker virus will be controlled through the Trojan horse virus. Both types are now increasingly integrated. Common Trojans such as QQ message tail Trojan Trojan.QQ3344, and you may encounter more Trojan viruses targeting online games such as Trojan.LMir.PSW.60. One more thing to add here is that if there is PSW or PWD in the virus name, it generally means that the virus has the function of stealing passwords (these letters are generally the abbreviation of "password" in English). Some hacker programs such as: Network Kingpin (Hack.Nether.Client) etc.
4. Script virus
The prefix of script virus is: Script. The public characteristics of script viruses are viruses written in script languages ??and spread through web pages, such as Code Red (Script.Redlof). Script viruses will also have the following prefixes: VBS, JS (indicating what kind of script is written), such as VBS.Happytime, Js.Fortnight.c.s, etc.
5. Macro virus
In fact, macro virus is also a type of script virus. Due to its particularity, it is counted as a separate category here. The prefix of a macro virus is: Macro, and the second prefix is: one of Word, Word97, Excel, Excel97 (perhaps others). All viruses that only infect WORD documents of WORD97 and earlier versions use Word97 as the second prefix, and the format is: Macro.Word97; all viruses that only infect WORD documents of WORD97 and later versions use Word as the second prefix, and the format is: Macro.Word ; Any virus that only infects EXCEL documents of EXCEL97 and earlier versions uses Excel97 as the second prefix, and the format is: Macro. Excel, and so on. The public characteristic of this type of virus is that it can infect OFFICE series documents and then spread through OFFICE general templates, such as the famous Macro.Melissa.