Find out why one simple virus can have several complicated names, and what each of those names might tell you.
Antivirus software vendor sites are not obligated to conform to any virus naming convention. However, most do follow what's called the CARO Naming Convention. Adopted in 1991, the CARO Naming Convention is the result of a committee consisting of Fridrik Skulason, Alan Solomon, and Vesselin Bontchev.
Note: Virus names may not always have all the parts, but the parts must be listed in the following order, often separated by dots:
•Family_Name: Here's a list of Family_Names in use today:
| WM | Word macro viruses. |
| W97M | Word97 macro viruses |
| XM | Excel macro viruses |
| X97M | Excel 97 macro viruses |
| W95 | Windows 95 viruses |
| W32 | 32-bit Windows viruses |
| WNT | 32-bit Windows NT viruses |
| I-Worm | Internet worm |
| Trojan/Troj | Trojan horses |
| VBS | Visual Basic Script viruses |
| AOL | America Online Trojans |
| PWSTEAL | Trojans that steal passwords |
| Java | JAVA viruses |
| Linux | Linux viruses |
| Palm | Palm OS viruses |
•Group_Name: This is the original virus's name, often found within the viral code. In a sense, the virus author gets to name the virus.
•Major_Variant: Immediately following the Group_Name is the Major_Variant. For example, the worm VBS.LoveLetter is distinct from VBS.LoveLetter.A.
•Minor_Variant: Sometimes, Minor_Variant can be a number, which is the file size of the virus. For example, W32.FunLove.4099.
Lately, antivirus software vendors have added the following, signifying the method and speed of propagation:
- @M: This means it spreads by e-mail
- @MM: This means it's a mass mailer
So, for example, if you see something called W32/Magistr@MM, then you know:
- Its Family_Name is 32-bit Windows
- Its Group_Name is Magistr
- It spreads by e-mail
- It is also a mass mailer
14%
7%
