Re: [Clamav-users] Re: Virus naming conventions?

Thu, 26 May 2005 13:48:15 -0700 

On Thu, 2005-05-26 at 13:59 -0500, René Berber wrote:

> > Does the absence of any replies mean, there is no real naming convention
> > and it is kind of random? ;-)
> 
> Have you seen?
>   http://clamav.net/cvdinfo.html#pagestart

Yes, I read that page before posting to the list. Unfortunately it
doesn't cover what I'm trying to grasp. Maybe I didn't explain myself
properly, so let me try again. :)


The page mentioned above is about different names for the same threat by
different AV vendors -- like SomeFool vs. Netsky.B. I'm totally aware of
that.

What I'm after if the naming convention of any particular threat. Most
names seem to be broken in 2 or 3 parts (at least), separated by dots.
Something along the lines of  a) class of the threat like Adware and
Worm,  b) the actual name  and c) a version or incarnation ID (left out
for the first incarnation).

This seems to be true for most of the current threats.

Anyway, there are a lot of sigs in the database that don't follow this
convention:
* Some of them do not have the class of the thread preceeding, like
  'Agiplan.A'. Embedded spaces and mixing between '.' and '-' seems to
  be used too, like in 'Amazon Queen-500' and 'AmazonQueen.500.B'.
* Sometimes there are a lot of minor differences for the same
  incarnation, leading to different sigs and thus names -- again mixing
  dots and dashes. See Worm.Sober.I for some examples...
  $ ./sigtool --list-sigs | grep ^Worm.Sober.I | sort

The first issue likely may be a result of old threats, back those days
when the AV vendors didn't use a classification like these days. I
honestly don't know, cause I didn't even hear about most of 'em.

The second issue may even break automatically sorting the worms.


So, in conclusion: Are my assumptions correct, that this partially is
due to old names? Is there at least a consensus on the classified naming
amongst AV vendors (as mentioned above)? And are dots and dashes treated
equally these days?

Or am I totally off the track?


Hope that makes more sense...

...guenther


-- 
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to