Friday, January 25, 2013

Microsoft Malware Protection Center Naming Standards

Microsoft Malware Protection Center Naming Standards

The MMPC naming standard is derived from the Computer Antivirus Research Organization (CARO) Malware Naming Scheme, originally published in 1991 and revised in 2002. Most security vendors use naming conventions based on the CARO scheme, with minor variations, although family and variant names for the same threat can differ between vendors.

The naming standard used by the MMPC can contain some or all of the following components:

Type indicates the primary function or intent of the threat. The MMPC assigns each individual threat to one of a few dozen different types based on a number of factors, including how the threat spreads and what it is designed to do. The different types currently used by the MMPC are described here.

Platform indicates the operating environment in which the threat is designed to run and spread. For most of the threats described in this report, the platform is listed as "Win32", for the Win32 API used by 32-bit and 64-bit versions of Windows desktop and server operating systems. Platforms can include programming languages and file formats, in addition to operating systems. The platforms currently used by the MMPC are described here.

Groups of closely related threats are organized into families, which are given unique names to distinguish them from others. The family name is usually not related to anything the malware author has chosen to call the threat; researchers use a variety of techniques to name new families, such as excerpting and modifying strings of alphabetic characters found in the malware file. Security vendors usually try to adopt the name used by the first vendor to positively identify a new family, although sometimes different vendors use completely different names for the same threat, which can happen when two or more vendors discover a new family independently.

Malware creators often release multiple variants for a family, typically in an effort to avoid being detected by security software. Variants are designated by letters, which are assigned in order of discovery - A through Z, then AA through AZ, then BA through BZ, and so on. A variant designation of "gen" indicates that the threat is detected by a generic signature for the family rather than as a specific variant. Any additional characters that appear after the variant provide comments or additional information. It is important to note that not all malware have the need for additional suffixes. The suffixes currently used by MMPC are discussed here.

Malware naming details

A97M Access 97, 2000, XP, 2003, 2007, and 2010 macros
HE macro scripting
O97M Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint
OpenOM OpenOffice macros
P98M Project 98, 2000, XP, 2003, 2007, and 2010 macros
PP97M PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5M Visio5 macros
W1M Word1Macro
W2M Word2Macro
W97M Word 97, 2000, XP, 2003, 2007, and 2010 macros
WM Word 95 macros
X97M Excel 97, 2000, XP, 2003, 2007, and 2010 macros
XF Excel formulas
XM Excel 95 macros

Original Page:

Shared from Pocket


No comments:

Post a Comment