(CARO) Malware naming scheme, this is how it works

Share this with people that should know this:

The Computer Antivirus Research Organization (CARO) has provided a malware naming scheme in 1991, which is still being used today.

How does it work?

As soon as you know what you are looking at, it will be easy for you to understand the CARO malware scheme.

All of the malware families that you see in the news and reports often utilize this scheme, as the scheme is widely adopted by the security industry.

The scheme contains the following values in order:

#label
1type
2platforms
3family
4variant letter
5suffixes

Type

The type field in the CARO scheme describes what the malware does. It gives directly the most information about the type of malware you are dealing with.

Types
AdwareProgramTrojan
BackdoorPWSTrojanClicker
BehaviorRansomTrojanDownloader
BrowserModifierRemoteAccessTrojanNotifier
ConstructorRogueTrojanProxy
DDoSSettingsModifierTrojanSpy
ExploitSoftwareBundlerVirTool
HacktoolSpammerVirus
JokeSpooferWorm
MisleadingSpyware
MonitoringToolTool

Platforms

The next value in the scheme, is the platform value, this value indicates which platform the malware is supposed to run on. Additionally it also provides the programming language information or the file format.

Operating SystemDescription
AndroidOSAndroid operating system
DOSMS-DOS platform
EPOCPsion devices
FreeBSDFreeBSD platform
iPhoneOSiPhone operating system
LinuxLinux platform
MacOSMAC 9.x platform or earlier
MacOS_XMacOS X or later
OS2OS2 platform
PalmPalm operating system
SolarisSystem V-based Unix platforms
SunOSUnix platforms 4.1.3 or lower
SymbOSSymbian operating system
Unixgeneral Unix platforms
Win16Win16 (3.1) platform
Win2KWindows 2000 platform
Win32Windows 32-bit platform
Win64Windows 64-bit platform
Win95Windows 95, 98 and ME platforms
Win98Windows 98 platform only
WinCEWindows CE platform
WinNTWinNT
LanguageLanguage description
ABAPAdvanced Business Application Programming
ALispALisp
AmiProAmiPro script
ANSIAmerican National Standards Institute
AppleScriptcompiled Apple
ASPActive Server Pages
AutoItAutoIT
BASBasic
BATBasic
CorelScriptCorelscript
HTAHTML Application
HTMLHTML Application
INFInstall
IRCmIRC/pIRC
JavaJava binaries (classes)
JSJavascript
LOGOLOGO
MPBMapBasic
MSHMonad shell
MSIL.Net intermediate language
PerlPerl
PHPHypertext Preprocessor
PythonPython
SAPSAP platform
SHShell
VBAVisual Basic for Applications
VBSVisual Basic
WinBATWinbatch
WinHlpWindows Help
WinREGWindows registry
Macro typeDescription
A97MAccess 97, 2000, XP, 2003, 2007, and 2010 macros
HEmacro scripting
O97MOffice 97, 2000, XP, 2003, 2007, and 2010 macros – those that affect Word, Excel, and Powerpoint
PP97MPowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros
V5MVisio5 macros
W1MWord1 Macro
W2MWord2 Macro
W97MWord 97, 2000, XP, 2003, 2007, and 2010 macros
WMWord 95 macros
X97MExcel 97, 2000, XP, 2003, 2007, and 2010 macros
XFExcel formulas
XMExcel 95 macros
FileformatFileformat description
XMLXML files
TSQLMS SQL server files
SWFShockwave Flash files
SBStarBasic (Staroffice XML) files
QTQuicktime files
NetwareNovell Netware files
MIMEMIME packets
HCHyperCard Apple scripts
ASXXML metafile of Windows Media .asf files

Family

The value which follows after the platform value is the family value in the CARO scheme. The family groups common malware characteristics, including attribution to the same authors. Security providers sometimes use different names for the same malware family.

Variant letter

The next CARO scheme value is the variant letter. This is used sequentially for every distinct version of a malware family. For example, the detection for the variant “.AB” would have been created after the detection for the variant “.AC”.

Suffixes

This is the last value of the CARO scheme. In this part of the CARO scheme, extra detail is provided about the malware.

SuffixDescription
.damdamaged malware
.dllDynamic Link Library component of a malware
.drdropper component of a malware
.genmalware that is detected using a generic signature
.kitvirus constructor
.ldrloader component of a malware
.pakcompressed malware
.pluginplug-in component
.remnantsremnants of a virus
.wormworm component of that malware
!bitan internal category used to refer to some threats
!clan internal category used to refer to some threats
!dhaan internal category used to refer to some threats
!pfnan internal category used to refer to some threats
!plockan internal category used to refer to some threats
!rfnan internal category used to refer to some threats
!rootkitrootkit component of that malware
@mworm mailers
@mmmass mailer worm
Share this with people that should know this: