1. /
  2. Security Response/
  3. Virus Naming

Virus Naming Conventions

  • The Prefix denotes the platform on which the virus replicates or the type of virus. A DOS virus usually does not contain a Prefix.
  • The Name is the family name of the virus.
  • The Suffix may not always exist. Suffixes distinguish among variants of the same family and are usually numbers denoting the size of the virus or letters.
PREFIXES
A2KM Access macro viruses that are native to Access 2000.
A97M Access macro viruses that are native to Access 97.
AM Access macro viruses that are native to Access 95
AOL Trojan horses that are specific to America Online environments and usually steal AOL password information
BAT Batch file threats.
Backdoor Threats may allow unauthorized users to access your computer across the Internet.
Bloodhound Bloodhound is the name of the Norton AntiVirus heuristic scanning technology for detecting new and unknown viruses
DDos Distributed Denial of Service threats. Distributed Denial of Service involves using zombie computers in an attempt to flood an Internet site with traffic.
DoS Denial of Service threats. Not to be confused with DOS viruses, which are named without prefixes.
HLLC High Level Language Companion viruses. These are usually DOS viruses that create an additional file (the companion) to spread.
HLLO High Level Language Overwriting viruses. These are usually DOS viruses that overwrite host files with viral code.
HLLP High Level Language Parasitic viruses. These are usually DOS viruses that attach themselves to host files.
HLLW A worm that is compiled using a High Level Language. (NOTE: This modifier is not always a prefix, it is only a prefix in the case of a DOS High Level Language Worm. If the Worm is a Win32 file, the proper name would be W32.HLLW.)
HTML Threats that target HTML files.
IRC Threats that target IRC applications.
JS Threats that are written using the JavaScript programming language.
Java Viruses that are written using the Java programming language.
Linux Threats that target the Linux operating system.
O2KM Office 2000 macro viruses. May infect across different types of Office 2000 documents.
O97M Office 97 macro viruses. May infect across different types of Office 97 documents.
OM Office macro viruses. May infect across different types of Office documents.
PWSTEAL Trojan horses that steal passwords.
Palm Threats that are designed to run specifically on the Palm OS.
Trojan/Troj These files are not viruses, but Trojan horses. Trojan horses are files that masquerade as helpful programs, but are actually malicious code. Trojan horses do not replicate.
UNIX Threats that run under any UNIX-based operating system.
VBS Viruses that are written using the Visual Basic Script programming language.
W2KM Word 2000 macro viruses. These are native to Word 2000 and replicate under Word 2000 only.
W32 32-bit Windows viruses that can infect under all 32-bit Windows platforms.
W95 Windows 95 viruses that infect files under the Windows 95 operating system. Windows 95 viruses often work in Windows 98 also.
W97M Word 97 macro viruses. These are native to Word 97 and replicate under Word 97 only.
W98 Windows 98 threats that infect files under the Windows 98 operating system. Will only work in Windows 98.
WM Word macro viruses that replicate under Word 6.0 and Word 95 (Word 7.0). They may also replicate under Word 97 (Word 8.0), but are not native to Word 97.
WNT 32-bit Windows viruses that can infect under the Windows NT operating system.
Win Windows 3.x viruses that infect files under the Windows 3.x operating system.
X2KM Excel macro viruses that are native to Excel 2000.
X97M Excel macro viruses that are native to Excel 97. These viruses may replicate under Excel 5.0 and Excel 95 as well.
XF Excel formula viruses are viruses using old Excel 4.0 embedded sheets within newer Excel documents.
XM Excel macro viruses that are native to Excel 5.0 and Excel 95. These viruses may replicate in Excel 97 as well.
SUFFIXES
@m Signifies the virus or worm is a mailer. An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.
@mm Signifies the virus or worm is a mass-mailer. An example is Melissa, which sends messages to every email address in your mailbox.
dam Indicates a detection for files that have been corrupted by a threat, or that may contain inactive remnants of a threat, causing the files to no longer be able to execute properly or produce reliable results.
dr Indicates that the detected file is a dropper for another threat.
Family Indicates a generic detection for threats that belong to a particular threat family based on viral characteristics.
Gen Indicates a generic detection for threats that belong to a particular threat type based on viral characteristics.
Int Indicates an intended threat. Threats that are intended to spread, but don't due to bugs or errors in the viral code.
Worm Indicates a worm, not a virus. Worms make copies of themselves that they send across a network or using email, or another transport mechanism