Follow:

Microsoft Volume Licensing Blogtwitter

Naming malware

We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) Malware naming scheme.

This scheme uses the following format:

MMPC naming format as it applies to a Reveton detection

When our analysts research a particular threat, they will determine what each of the components of the name will be.

Type

The type describes what the threat does on your computer. Worms, trojans, viruses, and adware are some of the most common types of threats we detect.

Platform

The platform refers to the operating system (such as Windows, Mac OS X, and Android) that the threat is designed to work on. Platforms can also include programming languages and file formats.

Family

A group of threats with the same name is known as a family. Sometimes different security software companies use different names.

Variant letters

Variant letters are used sequentially for each different version or member of a family. For example, the detection for the variant “.AF” would have been created after the detection for the variant “.AE”.

Additional information

Additional information is sometimes used to describe a specific file or component that is used by another threat in relation to this threat. In the example above, the !lnk indicates that the threat is a shortcut file used by the Trojan:Win32/Reveton.T variant, as shortcut files usually use the extension .lnk.

Platform

Expand all

AndroidOS: Android operating system

DOS: MS-DOS platform

EPOC: Psion devices

FreeBSD: FreeBSD platform

iPhoneOS: iPhone operating system

Linux: Linux platform

MacOS: MAC 9.x platform or earlier

MacOS_X: MacOS X or later

OS2: OS2 platform

Palm: Palm operating system

Solaris: System V-based Unix platforms

SunOS: Unix platforms 4.1.3 or lower

SymbOS: Symbian operating system

Unix: general Unix platforms

Win16: Win16 (3.1) platform

Win2K: Windows 2000 platform

Win32: Windows 32-bit platform

Win64: Windows 64-bit platform

Win95: Windows 95, 98 and ME platforms

Win98: Windows 98 platform only

WinCE: Windows CE platform

WinNT: WinNT

ABAP: Advanced Business Application Programming scripts

ALisp: ALisp scripts

AmiPro: AmiPro script

ANSI: American National Standards Institute scripts

AppleScript: compiled Apple scripts

ASP: Active Server Pages scripts

AutoIt: AutoIT scripts

BAS: Basic scripts

BAT: Basic scripts

CorelScript: Corelscript scripts

HTA: HTML Application scripts

HTML: HTML Application scripts

INF: Install scripts

IRC: mIRC/pIRC scripts

Java: Java binaries (classes)

JS: Javascript scripts

LOGO: LOGO scripts

MPB: MapBasic scripts

MSH: Monad shell scripts

MSIL: .Net intermediate language scripts

Perl: Perl scripts

PHP: Hypertext Preprocessor scripts

Python: Python scripts

SAP: SAP platform scripts

SH: Shell scripts

VBA: Visual Basic for Applications scripts

VBS: Visual Basic scripts

WinBAT: Winbatch scripts

WinHlp: Windows Help scripts

WinREG: Windows registry scripts

A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros

HE: macro scripting

O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint

PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros

V5M: Visio5 macros

W1M: Word1Macro

W2M: Word2Macro

W97M: Word 97, 2000, XP, 2003, 2007, and 2010 macros

WM: Word 95 macros

X97M: Excel 97, 2000, XP, 2003, 2007, and 2010 macros

XF: Excel formulas

XM: Excel 95 macros

ASX: XML metafile of Windows Media .asf files

HC: HyperCard Apple scripts

MIME: MIME packets

Netware: Novell Netware files

QT: Quicktime files

SB: StarBasic (Staroffice XML) files

SWF: Shockwave Flash files

TSQL: MS SQL server files

XML: XML files

Additional suffixes

Expand all

.dam: damaged malware

.dll: Dynamic Link Library component of a malware

.dr: dropper component of a malware

.gen: malware that is detected using a generic signature

.kit: virus constructor

.ldr: loader component of a malware

.pak: compressed malware

.plugin: plug-in component

.remnants: remnants of a virus

.worm: worm component of that malware

!rootkit: rootkit component of that malware

@m: worm mailers

@mm: mass mailer worm