A long standing problem when it comes to identifying viruses, or simply trying to find information out about a virus, is that each vendor names the virus in a different way. All too frequently, the only way to find out what name a given virus is called is to run it through a vendor’s anti-virus product. We primarily use the ClamAV anti-virus system, so tend to use the names generated by Clam as our starting point. In this article we will investigate this issue, and show some ways round it.
Lets investigate this problem by taken one particular example. Worm.Nyxem.E is sent as an executable attachment to an email message. The email message tends to have a relatively simple subject line and text body, typically inviting the recipient to “open the ebook” or “see the attached information”. The following table shows the results taken when running through a number of different vendors packages.
| AV System | Name given to Worm.Nyxem.E |
|---|---|
| Avira AntiVir | Worm/KillAV.GR |
| Authentium Command Anti Virus | W32/Kapser.A@mm |
| Avast! antivirus | Win32:VB-CD |
| Grisoft AVG | Worm/Generic.FX |
| ClamAV | Worm.Nyxem.E |
| DrWeb Anti-virus | Win32.HLLM.Generic.391 |
| Computer Associates eTrust-InoculateIT | Win32/Blackmal.F!Worm |
| Computer Associates eTrust-Vet | Win32/Blackmal.F!CME24 |
| Fortinet AntiVirus | W32/Grew.A!worm |
| Frisk F-Prot | W32/Kapser.A@mm |
| IKARUS Software Anti-Virus | Email-Worm.Win32.VB.BI |
| Kaspersky Antivirus | Email-Worm.Win32.Nyxem.e |
| McAfee Virusscan | W32/MyWife.d@MM!M24 |
| Microsoft | Win32/Mywife.E@mm!CME-24 |
| ESET NOD32 | Win32/VB.NEI |
| Norman Virus Control | W32/Small.KI@mm |
| Panda Antivirus | W32/Tearec.A.worm!CME-24 |
| Sophos Anti-Virus | W32/Nyxem-D |
| VirusBlokAda VBA32 | Email-Worm.Win32.VB.bi |
This example shows the range of different names that the same virus can have. There is a good reason for the wildly different names. When a virus spreads into the wild, the main priority of anti-virus vendors is to create signatures for the new virus to make sure their systems can stop it as soon as possible. As different vendors discover the virus, different names are generated, so there is no time to agree virus names with other vendors. The name depends on what naming schemes the anti-virus companies use.
One way of discovering the aliases for a virus, is to submit the virus (or the affected email message) to virustotal. This is a free service provided by a company called Hispasec Sistemas. The submitted file is fed into a number of different AV systems, with the result being shown for each. Another, somewhat more labour intensive process for identifying a virus is to search in viruslist.
A neutral indexing for viruses was created by CME (Common Malware Enumeration).This service give each virus a unique identifier - for example, the virus Nyxem was labelled CME-24. CME is still in its initial stages, but at the moment it seems unlikely to make much progress - a few of the virus descriptions, above, include the CME number, but it is by no means consistent or standardised. The CME initiative will take a huge amount of sustained effort to make real headway.