<<<
NEWS FROM THE LAB - Monday, October 31, 2005
>>>
 

 
Family values Posted by Mikko @ 20:25 GMT

As you know, new variants of old viruses are named by using a variable letter. Virus.a, Virus.b, Virus.c...etc.

When we have more than 26 variants of a virus, we run out of letters. Then we roll over from Virus.z to Virus.aa, Virus.ab, Virus.ac etc.

For some virus families, even this is not enough. They've become so large (over 700 members) that we've ended up to variant zz. When we, of course, roll over start over with Virus.aaa, Virus.aab, Virus.aac etc.

I was looking at some of the latest definitions we've put out and noticed that today we published detection for three new variants in the generic Trojan-Downloader.Win32.Small family:

  [+] Added Trojan-Downloader.Win32.Small.bts
  [+] Added Trojan-Downloader.Win32.Small.btt
  [+] Added Trojan-Downloader.Win32.Small.btu

Huh. Variant "btu". That's close to 2000 different variants. I wonder how long it takes until we have to wrap to Virus.aaaa.

For reference, here are the virus families that have already wrapped to "three digits", ie. over variant letter ".aaa". Some of these are generic families where the malware isn't really related but they are so simple and stupid they end up getting categorized to the same family anyway:
.aaa
  Backdoor.Win32.Agobot
  Backdoor.Win32.Delf
  Backdoor.Win32.Rbot
  Backdoor.Win32.SdBot
  Backdoor.Win32.VB
  Trojan-Downloader.Win32.Small
  Trojan-Dropper.Win32.Small
  Trojan-PSW.Win32.Lmir
  Trojan-Spy.Win32.Banker
  Trojan.Win32.StartPage
  Trojan.Win32.VB