Microsoft Malware Protection Center Naming Standards
microsoft.comThe MMPC naming standard is derived from the Computer Antivirus Research Organization (CARO) Malware Naming Scheme, originally published in 1991 and revised in 2002. Most security vendors use naming conventions based on the CARO scheme, with minor variations, although family and variant names for the same threat can differ between vendors.
The naming standard used by the MMPC can contain some or all of the following components:
Type indicates the primary function or intent of the threat. The MMPC assigns each individual threat to one of a few dozen different types based on a number of factors, including how the threat spreads and what it is designed to do. The different types currently used by the MMPC are described here.
Platform indicates the operating environment in which the threat is designed to run and spread. For most of the threats described in this report, the platform is listed as "Win32", for the Win32 API used by 32-bit and 64-bit versions of Windows desktop and server operating systems. Platforms can include programming languages and file formats, in addition to operating systems. The platforms currently used by the MMPC are described here.
Groups of closely related threats are organized into families, which are given unique names to distinguish them from others. The family name is usually not related to anything the malware author has chosen to call the threat; researchers use a variety of techniques to name new families, such as excerpting and modifying strings of alphabetic characters found in the malware file. Security vendors usually try to adopt the name used by the first vendor to positively identify a new family, although sometimes different vendors use completely different names for the same threat, which can happen when two or more vendors discover a new family independently.
Malware creators often release multiple variants for a family, typically in an effort to avoid being detected by security software. Variants are designated by letters, which are assigned in order of discovery - A through Z, then AA through AZ, then BA through BZ, and so on. A variant designation of "gen" indicates that the threat is detected by a generic signature for the family rather than as a specific variant. Any additional characters that appear after the variant provide comments or additional information. It is important to note that not all malware have the need for additional suffixes. The suffixes currently used by MMPC are discussed here.
Malware naming details
Macros | |
---|---|
A97M | Access 97, 2000, XP, 2003, 2007, and 2010 macros |
HE | macro scripting |
O97M | Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint |
OpenOM | OpenOffice macros |
P98M | Project 98, 2000, XP, 2003, 2007, and 2010 macros |
PP97M | PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros |
V5M | Visio5 macros |
W1M | Word1Macro |
W2M | Word2Macro |
W97M | Word 97, 2000, XP, 2003, 2007, and 2010 macros |
WM | Word 95 macros |
X97M | Excel 97, 2000, XP, 2003, 2007, and 2010 macros |
XF | Excel formulas |
XM | Excel 95 macros |
Original Page: http://pocket.co/sGAEF
Shared from Pocket
Comments
Post a Comment