Fascinating look behind the scenes of who gets to name computer viruses — and why every virus seems to have multiple names. The answer is pretty straightforward — everybody in the anti-virus world slaps their own name on things. But the race to be the first to report often results in confusion for security experts, not to mention end-users.
Schmugar at Network Associates said he has named about 200 viruses and worms, though not all have stuck. He tries to pick a name that refers to something unique or memorable about a virus’s coding or behavior. In the recent case, he noticed the words “my domain” in the computer worm’s programming. The words stuck in his mind, probably because they were related to the worm’s advanced address-building capability. He shortened the reference to “mydom.” Then he stuck in an extra “o,” making “doom” part of the name.
[…] That afternoon, Network Associates started warning its corporate customers about the “MyDoom” computer worm. (Its full name, “W32/Mydoom@MM” also contains information recognized by computer security workers about what operating systems the worm hits and how it replicates itself.) Customers of Symantec Corp., meanwhile, got warnings about a worm called “Novarg.” Trend Micro warned customers about a worm it called “Mimail.r.”
Symantec derived its name from another, encrypted line of coding in the same worm; Trend Micro first thought the worm was a variant of a bug called “Mimail” because the two had some traits in common, and identified it as a sequel of that worm.
There is a simple rule for which company gets naming rights: The person or company that finds and posts information about a virus first gets to name it. But that’s a rule that is often dropped in the heat of the moment. It’s not clear whether Network Associates actually named the worm first or not — but “MyDoom” is the name that caught on.
[…]”By the time we realized what was happening,” said Shipp at MessageLabs, “Network Associates had already attached the name ‘MyDoom’ and we thought that was pretty good. . . . ‘Novarg’ didn’t really trip off the tongue, but ‘MyDoom’ just seemed to be the name that everyone was going to go for.”
The only rule that everyone seems to follow is to avoid naming it after the virus writer (however identified in the code) or with the name the writer intended.
Interesting stuff.