Researchers dread Confusion caused due to Worm having too many Names

What's in a Name? Though Shakespeare may disregard the importance of a name and aptly says that the rose by any other name would smell as sweet, wonder if the same could be regarded as true in today’s technological world. Confusion rises over Friday’s file-destroying worm’s name. It’s one worm which has got several names. It is called “Mywife” at Microsoft Corp. and McAfee Inc., “Blackmal” at Symantec Corp. and CA Inc. and “Kama Sutra” in most media reports. No matter what the name, the danger remains the same though.

The confusion partly results from the speed with which the worm spreads.

At F-Secure Corp., it’s version “E” of “Nyxem,” while Sophos PLC says it’s version “D.” Others erratically refer to it as “Kapser,” “KillAV,” “Grew” or “Blackworm.”

The official name? “CME-24.”

The name may seem much botheration about nothing, but security researchers worry that the variance could lead to confusion amongst consumers.

Customers of one vendor’s product, for instance, may believe they are protected against “Nyxem.D” when in fact that vendor uses “E.” Or they may hear about “Kama Sutra” but don’t realize their product already protects them from “Kapser,” prompting phone inquiries that overwork support desks.

Director of the rapid response team for VeriSign Inc.’s iDefense Ken Dunham said, “Anti-virus companies when they get a sample need to act on that quickly.” Dunham added, “They don’t have time in their competitive environment to be able to go out and coordinate and have a nice little talk” about naming.

Security researchers face many decisions coming up with that initial name. Often, a new outbreak is a variation of an existing worm, so the vendor will use the next letter in the series.

But sometimes the variation is so small that not every vendor calls it a separate version, said Mikko Hypponen, chief research officer for F-Secure. Or the variation may be a bit larger, prompting some vendors to use a new name, while others use the next letter, he said.

That’s why some vendors began referring to Kama Sutra as “Grew.A”; it destroys files rather than try to overload Web sites with fake traffic, as previous versions did.

But they share code and techniques with predecessors; so F-Secure went with “Nyxem.E,” rearranged from the acronym for the New York Mercentile Exchange, whose Web site was targeted by the initial variant.

The U.S. Department of Homeland Security is attempting to combine naming through the Common Malware Enumeration, or CME. The larger outbreaks are assigned a random number — in this case “24” — to bring the various names under a single umbrella. A Web site making that
information public launched in October.

But “CME-24” doesn’t quite have the same ring as “Kama Sutra,” so named after the Hindu love manual because of the pornographic come-ons in e-mails spreading it. Media outlets began adopting Kama Sutra, even though no major security company calls it that.

“It’s primarily a media term,” Dunham said. “It’s something people are going to read about.”