Misha, Friday 13th, Petya, Anna Kournikova, WannaCry – all these names of computer viruses that caused real online epidemics get remembered for long time. They are constantly being repeated by numerous media outlets without going into technical details and sometimes confusing characteristics, versions, and modifications.
Have you ever wondered how and who gives names to computer viruses? After all, there are a lot of computer viruses, there are millions of them, and everything should have its own name. I have prepared a brief insight into the naming of computer viruses.
So, what are the people guided by when giving names to new malware?
Classifier Names
When a new virus is detected by the antivirus laboratory, analysts “disassemble” it into parts, study its functionality, and then assign a virus identifier to this piece.
Names are unified and directly depend on the specific activities of the virus. For example, Backdoor:Win32/Gadwats.A is a backdoor virus. Its main task is to provide remote access to the infected machine. It was written for the Windows platform. The virus analyst in the laboratory named it Gadwats. This is modification A, its rewritten\updated version will have code B and so on.
Classifier names may vary from antivirus lab to lab. Below, is a picture from the popular virus database called VirusTotal, which demonstrates the results of scanning one malicious file.
Obviously, when searching for information about a particular virus, using its name is not enough, it is worth pointing out the specific antivirus vendor whose tool detected the virus.
But who is interested in sorting out such strange names? Let’s choose more interesting virus samples. Here are their lab cards.
Sorted by file extensions
Virus name: WannaCry.
Purpose: Extortion virus, ransomware.
Type: Encryption worm.
Epidemic start date: May 12, 2017.
Damage: Infected more than 500,000 computers in more than 150 countries around the world.
Description: It is one of the most famous viruse. WannaCry received its name thanks to file extension, with which it marked all encrypted files – “.wncry”.
Virus name: Duqu.
Purpose: Extortion virus, ransomware.
Type: Spy worm.
Epidemic start date: September 1, 2011.
Damage: Unknown.
Description: This is a military virus, which marked the files with the prefix “~ DQ”. It was named Duqu in memory of the famous Count Dooku from the Star Wars franchise. The method of infection was similar to the Stuxnet military virus. It used the zero-day vulnerability of the Windows kernel (MS11-087) and having gained access to the system, collected secret data (passwords, screenshots) that can be used to access the process control.
Geographical principal
Virus name: Jerusalem.
Purpose: Uncontrolled self-replication.
Type: Classic virus.
Epidemic start date: October 1987.
Damage: Unknown.
Description: The first virus, named after the place it was first detected at. Its main distinctive feature is that (in addition to uncontrolled reproduction) this virus has spawned dozens of its own modifications.
Activation principal
Virus name: Friday 13th.
Purpose: Wiper.
Type: Classic virus.
Epidemic start date: 1987.
Damage: Unknown.
Description: This is a modification of the Jerusalem virus. It received its name – Friday 13th because of the activation method. The virus activated itself only on Friday the 13th and destroyed all the files on the infected computer.
Notes left by developers
Very often, virus developers leave tabs, so called “Easter eggs”. Those tabs’ content give virus its name. As a rule, these are some jokes, references to desktop or computer games, books and hacker subculture.
Virus name: Cookie Monster.
Purpose: Comic proto-virus.
Type: Locker.
Epidemic start date: 1970.
Damage: Billions of nerve cells of IT students at the time.
Description: This was just a joke virus. Cookie Monster blocked the computer and demanded to give him some cookies by typing the word “cookie” in the displayed window.
Virus name: Melissa.
Purpose: Wiper.
Type: Macro virus.
Epidemic start date: March 26, 1999.
Damage: $80 million estimated by the US government.
Description: The virus was spread via email, with the help of malicious file attachments, namely, in a MS Word file with embedded macros. Its main task was to modify or delete critical Windows system files. After infection, the virus sent itself to the first 50 recipients from the address book. It is considered the progenitor of all rapidly spreading viruses. Its name comes from the “Easter egg” left in the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftOffice “Melissa?” = “… by Kwyjibo”
Distribution principal
There are plenty of ways to spread the virus. Sometimes a particular spreading technique becomes a source of inspiration for malware analysts when they give the virus its name.
Virus name: ILOVEYOU
Purpose: Uncontrolled self-replication.
Type: Mail worm.
Epidemic start date: May 4, 2000.
Damage: 3 million computers worldwide were infected, 10-15 billion US dollars in damages. ILOVEYOU was listed in the Guinness Book of Records as the most virulent computer virus in the world.
Description: The infamous ILOVEYOU virus was distributed as an email attachment with the name “LOVE-LETTER-FOR-YOU.txt.vbs”. Once activated it sent itself to all the contacts of the victim and even used IRC channels, creating the file LOVE-LETTER-FOR-YOU.HTM in the Windows system directory. It was the first virus to use social engineering tricks as a basis for distribution, providing fake .TXT file extension in the end. It also used the fact that at that time Windows had script processing turned on by default, and known (real) file extensions were hidden by default.
Virus name: Anna Kournikova.
Purpose: Uncontrolled self-replication.
Type: Mail worm.
Epidemic start date: February 11, 2011.
Damage: 200,000 US dollars.
Description: This virus was named after a famous Russian tennis player and model. The virus was spread in a letter allegedly with a photo of Anna. However, the attachment was just another malware. Like its predecessor (ILOVEYOU) the worm sent itself to email contacts and used social engineering.
By coincidence
Virus name: CIH “Chernobyl”
Purpose: Wiper.
Type: Resident virus.
Epidemic start date: June 1998.
Damage: 1 Billion US dollars.
Description: The creator of the Chernobyl virus most likely did not know that April 26, the date he planned to launch his virus, is the anniversary of the Chernobyl nuclear power plant disaster. In addition, the author’s initials (Chen Ing-hao) contributed to the virus being called CIH, or Chernobyl. After the system was infected, the virus stayed inactive, waiting for the key date, and after its occurrence overwritten the first 1024 KB on the hard disk with zeros, deleting the entire partition table. But that’s not all. The second part of the payload tried to overwrite and flash BIOS. So, we remember this virus by these devastating characteristics. The virus was spread by infecting .EXE files on servers distributing software.
Summary
About half a million new virus modifications appear every day in the world. Most of them receive classifier names and remain only in the databases of antivirus software vendors. Few viruses get unique names. If your virus got famous and received a unique name it is almost a hundred percent way to leave your mark in the history of information security. True, but before you may enjoy this fame, you must serve several years in prison.