Having grasped the rather simple base rules of identifier formation and the existence of special delimiter characters, we shall now consider how the identifiers are used. At its most complex, an FSMN has the general form:
<malware_type>://<platform>/<family_name>.<group_name>.<infective_length>.<sub-variant><devolution><modifiers>
In practice however, very little, if any malware requires all name components. `Useful’ malware names are more likely to be of the form:
[<malware_type>://][<platform>/]<family_name>[.<group_name>][.<infective_length>][.<sub-variant><devolution>]][<modifiers>]
These forms should be read such that items inside square brackets are considered optional in at least some cases, items delimited with triangular brackets are identifiers with special meaning in each location and anything else is a delimiter required in that literal form (single character or string) if its associated component is present in the name and forbidden if its component is not present. Each of these components is described in its own section, below. Note this is somewhat more elaborate than the original CARO naming scheme which specified:
Family_Name.Group_Name.Major_Variant.Minor_Variant[:Modifier]
with each part except `Family_Name’ being optional. As the <family_name > component is also the only one required in every case in the revised scheme – some components are only required in certain circumstances and/or have default or assumed values, but a family name is always needed — we shall describe it first then treat the remaining components in left to right order.
- <family_name >
- <malware_type >://
- <platform >/
- .<group_name >
- .<infective_length >
- .<sub-variant >[[<devolution >]
- <modifiers >