Who names computer viruses? Everybody

Kooperman · February 28, 2004

Who names computer viruses? Everybody

Speed and confusion rule on the antivirus front

By Mike Musgrove

Updated: 12:08 a.m. ET Feb. 26, 2004

Early one Monday afternoon, Craig Schmugar, virus research manager at computer security firm Network Associates Inc., was at his desk taking a quick look at the programming inside a new computer worm that his team had just discovered, still in the early stages of circulating the Web.

As Schmugar scanned through the worm's deciphered code, his adrenaline started pumping. This one had ambitions.

The worm disguised itself as a bounced piece of e-mail and had an innovative way of collecting addresses, looking for more potential victims. Schmugar had a feeling this one was going to create a lot of trouble; it was time to sound the alarms -- but first he needed to attach a name. What to call it?

Antivirus companies compete with each other fervently in the hopes that their customers will hear about the latest computer-based threat from them first. The result is that when there's an outbreak of a new virus or worm, companies often race to offer competing names for the same bug.

'Nobody is in charge'

For some, this regularly occurring confusion is starting to grate. A recent report submitted to the White House, "The National Strategy to Secure Cyberspace," called for more standardized methods of sharing information about security threats and criticized the confusion caused by conflicting names.

Industry officials have announced they are forming an alliance to resolve such problems, but many security experts said a solution will be difficult given the competitive nature of the antivirus business.

"Nobody is in charge and nobody is going to be willing to put anybody in charge who is not from their company," said David Perry, global education director at Trend Micro Inc. "And nobody -- nobody -- wants to add any level of anything" that will slow down the process of getting a fix to customers, he said.

In the early, pre-Internet days of the computer industry, new viruses were so rare and spread so slowly that a central organization of antivirus researchers signed off on the accepted name of each new virus that was discovered.

Today, viruses can spread worldwide in a couple of hours. And they are appearing at an increasingly rapid rate; by one estimate, 77,000 pieces of malicious code have been documented, though that number includes worms roaming the Web as well as code written but never released on the public.

Though the industry has settled on some general rules guiding virus nomenclature, the process can be remarkably haphazard. Recent viruses have gotten their names from soda drinks ("Code Red") and mythical beasts ("Bugbear"); some early antivirus researchers identified programs by working through a list of tree names.

There are as many rules about what not to name a virus as there are about what to call one. It is frowned on, for example, to name a virus after a person or a company. Antivirus researchers also avoid giving a virus the name its creator may have intended, as indicated in its code.

Same worm, different names

Confusion can occur when several companies give the same worm a different name. Many versions of a virus that came to be known as "klez" were considered relatively harmless, until a highly destructive sequel came out. Different antivirus firms had numbered the klez virus sequels differently, and corporate security teams were left scrambling as they had to figure out which version to be wary of.

"It can be bad news for the customers," said Alex Shipp, a senior antivirus researcher at e-mail security firm MessageLabs Inc. "They have no hope of sorting out that mess."

Schmugar at Network Associates said he has named about 200 viruses and worms, though not all have stuck. He tries to pick a name that refers to something unique or memorable about a virus's coding or behavior. In the recent case, he noticed the words "my domain" in the computer worm's programming. The words stuck in his mind, probably because they were related to the worm's advanced address-building capability. He shortened the reference to "mydom." Then he stuck in an extra "o," making "doom" part of the name.

"I steered away from the non-catchy names, because I knew it was going to be big," Schmugar said in a recent phone interview. "When I saw the word 'doom' as part of it . . . I thought that might be appropriate."

Schmugar estimates the decision-making process took less than three minutes.

That afternoon, Network Associates started warning its corporate customers about the "MyDoom" computer worm. (Its full name, "W32/Mydoom@MM" also contains information recognized by computer security workers about what operating systems the worm hits and how it replicates itself.) Customers of Symantec Corp., meanwhile, got warnings about a worm called "Novarg." Trend Micro warned customers about a worm it called "Mimail.r."

Symantec derived its name from another, encrypted line of coding in the same worm; Trend Micro first thought the worm was a variant of a bug called "Mimail" because the two had some traits in common, and identified it as a sequel of that worm.

'MyDoom' catches on

There is a simple rule for which company gets naming rights: The person or company that finds and posts information about a virus first gets to name it. But that's a rule that is often dropped in the heat of the moment. It's not clear whether Network Associates actually named the worm first or not -- but "MyDoom" is the name that caught on.

MyDoom was eventually credited as being the fastest computer worm ever to hit the Web, with millions of infected e-mails clogging servers around the world. At its peak, one of Network Associates' major corporate clients was blocking infected e-mails at a rate of 160,000 an hour.

"By the time we realized what was happening," said Shipp at MessageLabs, "Network Associates had already attached the name 'MyDoom' and we thought that was pretty good. . . . 'Novarg' didn't really trip off the tongue, but 'MyDoom' just seemed to be the name that everyone was going to go for."

While MessageLabs guessed correctly that MyDoom would win the popularity contest, others backed what turned out to be the losing name. Among those was the U.S. Computer Emergency Readiness Team.

The organization, a partnership between the Department of Homeland Security and private industry, originally issued a bulletin warning the public against "Novarg." In subsequent bulletins, the organization shifted gears and used the "MyDoom" moniker, as have Symantec and Trend Micro. The fifth, and possibly most destructive, version of MyDoom was first spotted circulating the Web late last week.

Though the Computer Emergency Readiness Team applies the "who speaks first" naming rule whenever it can, "one of our main goals is to clearly communicate," said Shawn Hernan, a senior member of the organization's technical staff. "It wouldn't do us any good to try to insist on a name that people don't recognize."

http://www.msnbc.msn.com/id/4376005/