 | |  |
|
Microsoft Malware Protection Center Naming Standards
The MMPC naming standard is derived from the Computer Antivirus Research Organization (CARO) Malware Naming Scheme, originally published in 1991 and revised in 2002. Most security vendors use naming conventions based on the CARO scheme, with minor variations, although family and variant names for the same threat can differ between vendors.
The naming standard used by the MMPC can contain some or all of the following components:
Type indicates the primary function or intent of the threat. The MMPC assigns each individual threat to one of a few dozen different types based on a number of factors, including how the threat spreads and what it is designed to do. The different types currently used by the MMPC are described here.
Platform indicates the operating environment in which the threat is designed to run and spread. For most of the threats described in this report, the platform is listed as "Win32", for the Win32 API used by 32-bit and 64-bit versions of Windows desktop and server operating systems. Platforms can include programming languages and file formats, in addition to operating systems. The platforms currently used by the MMPC are described here.
Groups of closely related threats are organized into families, which are given unique names to distinguish them from others. The family name is usually not related to anything the malware author has chosen to call the threat; researchers use a variety of techniques to name new families, such as excerpting and modifying strings of alphabetic characters found in the malware file. Security vendors usually try to adopt the name used by the first vendor to positively identify a new family, although sometimes different vendors use completely different names for the same threat, which can happen when two or more vendors discover a new family independently.
Malware creators often release multiple variants for a family, typically in an effort to avoid being detected by security software. Variants are designated by letters, which are assigned in order of discovery - A through Z, then AA through AZ, then BA through BZ, and so on. A variant designation of "gen" indicates that the threat is detected by a generic signature for the family rather than as a specific variant. Any additional characters that appear after the variant provide comments or additional information. It is important to note that not all malware have the need for additional suffixes. The suffixes currently used by MMPC are discussed here.
Malware naming details
| Operating systems |
|
AndroidOS
|
Android operating system |
|
DOS
|
MS-DOS platform |
|
EPOC
|
Psion devices |
|
FreeBSD
|
FreeBSD platform |
|
iPhoneOS
|
iPhone operating system |
|
Linux
|
Linux platform |
|
MacOS
|
MAC 9.x platform or earlier |
|
MacOS_X
|
MacOS X or later |
|
OS2
|
OS2 platform |
|
Palm
|
Palm operating system |
|
Solaris
|
System V-based Unix platforms |
|
SunOS
|
Unix platforms 4.1.3 or lower |
|
SymbOS
|
Symbian operating system |
|
Unix
|
general Unix platforms |
|
Win16
|
Win16 (3.1) platform |
|
Win2K
|
Windows 2000 platform |
|
Win32
|
Windows 32-bit platform |
|
Win64
|
Windows 64-bit platform |
|
Win95
|
Windows 95, 98 and ME platforms |
|
Win98
|
Windows 98 platform only |
|
WinCE
|
Windows CE platform |
|
WinNT
|
Windows NT platform |
| Scripting languages |
|
ABAP
|
Advanced Business Application Programming scripts |
|
ALisp
|
ALisp scripts |
|
AmiPro
|
AmiPro script |
|
ANSI
|
American National Standards Institute scripts |
|
AppleScript
|
compiled Apple scripts |
|
ASM
|
Assembly scripts |
|
ASP
|
Active Server Pages scripts |
|
AutoIt
|
AutoIT scripts |
|
BAS
|
Basic scripts |
|
BAT
|
BAT scripts |
|
CorelScript
|
Corelscript scripts |
|
HTA
|
HTML Application scripts |
|
HTML
|
HyperText Markup Language scripts |
|
INF
|
Install scripts |
|
IRC
|
mIRC/pIRC scripts |
|
Java
|
Java binaries (classes) |
|
JS
|
Javascript scripts |
|
LOGO
|
LOGO scripts |
|
MPB
|
MapBasic scripts |
|
MSH
|
Monad shell scripts |
|
MSIL
|
.Net intermediate language scripts |
|
Perl
|
Perl scripts |
|
PHP
|
Hypertext Preprocessor scripts |
|
Python
|
Python scripts |
|
SAP
|
SAP platform scripts |
|
SH
|
Shell scripts |
|
VBA
|
Visual Basic for Applications scripts |
|
VBS
|
Visual Basic scripts |
|
WinBAT
|
Winbatch scripts |
|
WinHlp
|
Windows Help scripts |
|
WinREG
|
Windows registry scripts |
| Macros |
|
A97M
|
Access 97, 2000, XP, 2003, 2007, and 2010 macros |
|
HE
|
macro scripting
|
|
O97M
|
Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint |
|
OpenOM
|
OpenOffice macros
|
|
P98M
|
Project 98, 2000, XP, 2003, 2007, and 2010 macros |
|
PP97M
|
PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros |
|
V5M
|
Visio5 macros |
|
W1M
|
Word1Macro
|
|
W2M
|
Word2Macro
|
|
W97M
|
Word 97, 2000, XP, 2003, 2007, and 2010 macros |
|
WM
|
Word 95 macros |
|
X97M
|
Excel 97, 2000, XP, 2003, 2007, and 2010 macros |
|
XF
|
Excel formulas |
|
XM
|
Excel 95 macros |
| Other file types |
|
ActiveX
|
ActiveX controls |
|
ASX
|
XML metafile of Windows Media .asf files |
|
DOS32
|
Advanced DOS Extender files |
|
HC
|
HyperCard Apple scripts |
|
MIME
|
MIME packets |
|
Netware
|
Novell Netware files |
|
QT
|
Quicktime files |
|
SB
|
StarBasic (Staroffice XML) files |
|
SWF
|
Shockwave Flash files |
|
TSQL
|
MS SQL server files |
|
VMSS
|
Virtual machine suspended state files |
|
XML
|
XML files |
| Additional suffixes |
|
.dam
|
damaged malware |
|
.dll
|
Dynamic Link Library component of a malware |
|
.dr
|
dropper component of a malware |
|
.gen
|
malware that is detected using a generic signature |
|
.kit
|
virus constructor |
|
.ldr
|
loader component of a malware |
|
.pak
|
compressed malware |
|
.plugin
|
plug-in component |
|
.remnants
|
remnants of a virus |
|
.worm
|
worm component of that malware |
|
!rootkit
|
rootkit component of that malware |
|
@m
|
worm mailers |
|
@mm
|
mass mailer worm |
| |
 | |  |
