EXPENSIVE

Computer Antivirus Research Organization is an informal group that has been working since 1990 to study the phenomenon of computer viruses. CARO essentially suppressed other, more informal groups of antivirus professionals. CARO preceded EICAR, a more formal organization, but which was founded by a group similar to CARO's. While CARO was always a technical group, EICAR had a different legal and security approach. Today both groups work separately. A historical joint product was the EICAR test file created by CARO staff and published by EICAR. One of the brake The most important issues dealt with is the nomenclature of computer viruses.

Malware Naming Convention

In 1991 the Computer Antivirus Research Organization established criteria for naming malware. This nomenclature is based on following the following pattern:

Family_Name(Prefix)+Group_Name(Name)+Major_and_Minor_Variant(Variante)+[Modifier(Sufijo)]

(Most manufacturers separate the prefix from the name using a "/" bar and this from the variant with a "point.")

Where:

• The prefix indicates the platform to which the virus affects, the language in which it is written or the type of malware. Some makers juxtapone more than one prefix, so Worm.W32 would point to a 32-bit Windows system worm. Examples of prefixes are:
  • W32 - 2005 It affects 32-bit Windows systems (Windows 95/98/ME/NT/2000/XP)
  • W95 - 2005 Affects Windows 95/98/ME systems
  • WM - 2005 Microsoft Word Macro Virus
  • XM97 - 2005 Microsoft Excel 97 Macro Virus
  • Worm - voluntary Gusano
  • Troj - rigid Trojan
  • Bck - rigid Rear door
  • VBS - rigid Written in Visual Basic Script
  • JS - reproductive Written in Java Script
  • HTML - rigid Virus embedded in HTML code to exploit some vulnerability
  • Mac - 2005 Affects Apple Macintosh systems
  • Linux - rigid Impacts Linux systems
• The name of the specimen is assigned by each anti-virus manufacturer and usually corresponds well with some notable feature of the virus (Friday 13), either with some term present in the messages in which it spreads, in the virus code itself or in texts that it presents after the infection (LoveLetter, Netsky). Different organizations can use different names for a given specimen, hence speaking of "alias" to identify the different names.
• Variants. It is common for every malware to have several variants of the original, being able to reach hundreds and constitute authentic families. To identify these variants, letters are used that are assigned in alphabetical order as new members of a family are detected.
• Suffixes are used to review some other important feature of the virus, such as:
  • @m - rigid E-mail spread virus
  • @mm - rigid Massive propagation virus by email
  • gene - reproductive Generic detection, in this case there is no precise identification of the variant.

For example Win32/Conficker.D identifies the D variant of the Conficker worm.

The fact that this system is not an official standard, and that it is not applied consistently among the organizations that adopt it, often the same malware has multiple identifiers based on this nomenclature which causes confusion. One of the problems with this nomenclature is that it tries to encode malware attributes as part of the identifier, which is very difficult without making the identifier too long which makes using the nomenclature very cumbersome. Furthermore there is no way to determine which critical attributes should be present in the identifier and which should not. All this provoked the appearance of other standardizations. <ref name="maec"/ >