In this section we provide an informal introduction to the general form of malware names suggested by the original CARO naming standard plus further `common practice’ as seen in the work of leading AV researchers since. A malware name potentially consists of many components. Some of these component parts are required, some are entirely optional, some are conditionally required and some conditionally prohibited. This section deals with the general, overall form. Following sections will discuss the specifics of each component, describe more fully when, or if, a component is required and so on.
But, before we discuss the whats and the hows, we need to briefly consider the whys. Why, in 1991, did some CARO members sit down, debate all this and end up writing the venerable ‘naming.txt’ document? Personal motivations aside, the purpose of the original naming standard specification was to define a naming scheme that could sufficiently and uniquely name a virus variant such that other researchers than the one who first named it should have a fairly good idea whether it was the same virus as one they were currently researching, or at least in most cases allow the researcher to decide that the virus they had just received was, in fact, a variant no other virus researcher had already described. Thus, the purpose of the scheme described below is not to describe the form of malware names a scanner, a researcher or other AV expert should use when reporting a malware detection to the scanner’s user or the expert’s client. This naming scheme has a specific and highly technical purpose — to provide a mechanism for specifying virus names so as to, as closely as possible, uniquely identify each possible virus. This does not mean that it need not be possible to derive a `simplified’ name from what is, according to the scheme, a fully specified malware name. However, it is important to remember while reading this document that some of the `seemingly irrelevant minutiae’ the scheme allows for (or even requires in many instances) are only intended for `expert consumption’ in the form of a FullySpecifiedMalwareName (FSMN). To further complicate this issue, some AV developers have attempted (with varying degrees of rigor and success) to follow the guidance of the specification in the names reported by their scanners. Some may see this as an admirable effort, but the varying results should not be seen as a measure of the naming scheme’s usefulness or success, as such usage is, at most, a secondary purpose, a by-product even, of the CARO naming scheme.