Although the information coded into the name assigned a piece of malware thus far should allow it to be uniquely identified, various functionality of some malware seems more `significant’ than others. The naming scheme provides a means to efficiently encapsulate some of this information via name modifiers.
The original NAMING.TXT only mentioned one type of modifier — the colon-delimited runtime compression and polymorphic engine identifier. The concern when NAMING.TXT was drafted was that viruses were increasingly using various `standard’ obfuscation techniques of those kinds. To quote that text:
Such viruses should be classified as if the concealing mechanism has not been used, with a modifier appended to their name. This modifier indicates the particular concealing mechanism used. If the concealing tool conforms to a naming hierarchy, it’s full name (e.g., TPE.1_3) should be used as a modifier. When the modifier indicates a compression tool, only the first two characters of the name of the tool should be used.
For instance, the Pogue virus is a member of the Gotcha family, but uses the MtE.0_90 polymorphic engine. Therefore, its full name should be “Gotcha.Pogue:MtE.0_90”.
It is permitted to use more than one modifier in the full name of the virus, if the virus uses more than one concealing mechanism, e.g. “Civil_War.1234.A:TPE.1_3:MtE.1_00:PK”.
For better or worse, this approach has not been widely adopted by AV developers. Further, it is clear that the few developers whose products report some virus names with this style of modifier have not applied the approach at all consistently, failing to report huge swathes of viruses using `standard’ polymorphism kits and/or runtime decompressors according to this standard, but choosing to report a few thus. Instead, it is now proposed that there are four recognized forms of modifier which can be specified thus:
[[:<locale_specifier>][#<packer>][@'m'|'mm'][!<vendor-specific_comment>]]
The old colon-separated runtime compression and polymorphic engine modifier is thus deprecated. Developers who have used it are recommended to remove any such names from their detection databases. More details on each of the currently accepted modifiers is available from these links:
- :<locale_specifier >
- #<packer >
- @"’m’":mailingmodifier.html |‘mm’
- !<vendor-specific_comment >