December 03, 2000
A threat considered high risk by antivirus vendors McAfee and Trend has confusingly been given three different names: Creative, W32/ProLin@mm, and Troj_Shockwave. Antivirus vendors have been tasked with standardizing virus naming since an ICSA sponsored meeting in November of 1991. Nearly a decade later, the Creative, aka ProLin/Shockwave worm/Trojan points out the deficiencies in the adoption of this system. As users become more aware of virus issues and seek out information on newly released viruses, their efforts are frustrated by the lack of adherence to any real naming convention.
Shades of Gray
Today’s threats bring us any combination of Trojans, worms, and viruses in one tidy package. Worse still, the lines between Trojan and worm seem to be blurring somewhat with some vendors. For example, worms have traditionally been described as self-contained programs that make copies of themselves and Trojans as programs that maliciously do something other than the user intended. McAfee classifies their so named W32/ProLin@mm as an Internet worm that spreads via email. Trend describes the same infector as a Windows PE Trojan and refers to it as Troj_Shockwave.A. F-Secure and AVP simply named the infector Creative, after the name of the attached file the worm spreads under. However, all of the descriptions discuss the malicious action of renaming .JPG and .GIF files and moving them to the root of drive C:\. Since worms, by definition, simply mass-produce themselves, when is a worm no longer a worm? What family should these combination threats fall under?
Descriptive Names
McAfee is perhaps the most descriptive in their choice of W32/ProLin@mm - at least from one perspective. W32 signifies that it is a Windows 32-bit system infector. ProLin refers to the Pro Linux message conveyed by the infector, and the @mm signifies that it is a mass-mailer. Such naming also services the needs of Macintosh and Unix users, who can tell at a glance that this is not a threat they need be concerned with. The choice of the name also makes no claims as to whether it is Trojan, worm or virus. On the other hand, F-Secure’s and AVP’s choice of Creative is apt, as users receiving the attached file may first search out information based on the name of the file. Still, Trend is accurate in referring to it as a Trojan, as it does have some of the characteristics of one.
Confusing to Users
Even the WildList organizers have shown no interest in attempting to standardize naming conventions for viruses. While it is true that the effectiveness of the antivirus software is not affected by the name, where does this leave the end users who try to research and keep abreast of virus outbreaks? A McAfee user may be thoroughly updated on the W32/ProLin worm, but what happens when they are forwarded a warning about a new Trojan named Shockwave?
Searchable Encyclopedias
Fortunately, antivirus vendors recognize that the best way to combat these issues is to provide searchable encyclopedias and multiple listings under each of the infector’s aliases. For example, F-Secure has links to the description under Creative, ProLin, Shockwave, Troj_Shockwave, and W32/Prolin. The Antivirus.About.com encyclopedia also follows this multiple listing convention. Addtionally, every effort is made to accurately identify the different names in the brief descriptions provided within the Recent Outbreaks section of the site.
Also See: Naming Confusion Hinders Response
