The Computer Antivirus Research Organization (CARO) has provided a malware naming scheme in 1991, which is still being used today.
How does it work?
As soon as you know what you are looking at, it will be easy for you to understand the CARO malware scheme.
All of the malware families that you see in the news and reports often utilize this scheme, as the scheme is widely adopted by the security industry.
The scheme contains the following values in order:
| # | label |
| 1 | type |
| 2 | platforms |
| 3 | family |
| 4 | variant letter |
| 5 | suffixes |
Type
The type field in the CARO scheme describes what the malware does. It gives directly the most information about the type of malware you are dealing with.
| Types | ||
| Adware | Program | Trojan |
| Backdoor | PWS | TrojanClicker |
| Behavior | Ransom | TrojanDownloader |
| BrowserModifier | RemoteAccess | TrojanNotifier |
| Constructor | Rogue | TrojanProxy |
| DDoS | SettingsModifier | TrojanSpy |
| Exploit | SoftwareBundler | VirTool |
| Hacktool | Spammer | Virus |
| Joke | Spoofer | Worm |
| Misleading | Spyware | |
| MonitoringTool | Tool |
Platforms
The next value in the scheme, is the platform value, this value indicates which platform the malware is supposed to run on. Additionally it also provides the programming language information or the file format.
| Operating System | Description |
| AndroidOS | Android operating system |
| DOS | MS-DOS platform |
| EPOC | Psion devices |
| FreeBSD | FreeBSD platform |
| iPhoneOS | iPhone operating system |
| Linux | Linux platform |
| MacOS | MAC 9.x platform or earlier |
| MacOS_X | MacOS X or later |
| OS2 | OS2 platform |
| Palm | Palm operating system |
| Solaris | System V-based Unix platforms |
| SunOS | Unix platforms 4.1.3 or lower |
| SymbOS | Symbian operating system |
| Unix | general Unix platforms |
| Win16 | Win16 (3.1) platform |
| Win2K | Windows 2000 platform |
| Win32 | Windows 32-bit platform |
| Win64 | Windows 64-bit platform |
| Win95 | Windows 95, 98 and ME platforms |
| Win98 | Windows 98 platform only |
| WinCE | Windows CE platform |
| WinNT | WinNT |
| Language | Language description |
| ABAP | Advanced Business Application Programming |
| ALisp | ALisp |
| AmiPro | AmiPro script |
| ANSI | American National Standards Institute |
| AppleScript | compiled Apple |
| ASP | Active Server Pages |
| AutoIt | AutoIT |
| BAS | Basic |
| BAT | Basic |
| CorelScript | Corelscript |
| HTA | HTML Application |
| HTML | HTML Application |
| INF | Install |
| IRC | mIRC/pIRC |
| Java | Java binaries (classes) |
| JS | Javascript |
| LOGO | LOGO |
| MPB | MapBasic |
| MSH | Monad shell |
| MSIL | .Net intermediate language |
| Perl | Perl |
| PHP | Hypertext Preprocessor |
| Python | Python |
| SAP | SAP platform |
| SH | Shell |
| VBA | Visual Basic for Applications |
| VBS | Visual Basic |
| WinBAT | Winbatch |
| WinHlp | Windows Help |
| WinREG | Windows registry |
| Macro type | Description |
| A97M | Access 97, 2000, XP, 2003, 2007, and 2010 macros |
| HE | macro scripting |
| O97M | Office 97, 2000, XP, 2003, 2007, and 2010 macros – those that affect Word, Excel, and Powerpoint |
| PP97M | PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros |
| V5M | Visio5 macros |
| W1M | Word1 Macro |
| W2M | Word2 Macro |
| W97M | Word 97, 2000, XP, 2003, 2007, and 2010 macros |
| WM | Word 95 macros |
| X97M | Excel 97, 2000, XP, 2003, 2007, and 2010 macros |
| XF | Excel formulas |
| XM | Excel 95 macros |
| Fileformat | Fileformat description |
| XML | XML files |
| TSQL | MS SQL server files |
| SWF | Shockwave Flash files |
| SB | StarBasic (Staroffice XML) files |
| QT | Quicktime files |
| Netware | Novell Netware files |
| MIME | MIME packets |
| HC | HyperCard Apple scripts |
| ASX | XML metafile of Windows Media .asf files |
Family
The value which follows after the platform value is the family value in the CARO scheme. The family groups common malware characteristics, including attribution to the same authors. Security providers sometimes use different names for the same malware family.
Variant letter
The next CARO scheme value is the variant letter. This is used sequentially for every distinct version of a malware family. For example, the detection for the variant “.AB” would have been created after the detection for the variant “.AC”.
Suffixes
This is the last value of the CARO scheme. In this part of the CARO scheme, extra detail is provided about the malware.
| Suffix | Description |
| .dam | damaged malware |
| .dll | Dynamic Link Library component of a malware |
| .dr | dropper component of a malware |
| .gen | malware that is detected using a generic signature |
| .kit | virus constructor |
| .ldr | loader component of a malware |
| .pak | compressed malware |
| .plugin | plug-in component |
| .remnants | remnants of a virus |
| .worm | worm component of that malware |
| !bit | an internal category used to refer to some threats |
| !cl | an internal category used to refer to some threats |
| !dha | an internal category used to refer to some threats |
| !pfn | an internal category used to refer to some threats |
| !plock | an internal category used to refer to some threats |
| !rfn | an internal category used to refer to some threats |
| !rootkit | rootkit component of that malware |
| @m | worm mailers |
| @mm | mass mailer worm |