The entire security industry agrees that the current convention for naming viruses and other malware is deeply flawed. Once theyve noted whether it runs on Windows or not (the answer is invariably yes anyway), software vendors are free to give each new occurrence of a virus, worm or Trojan any name they choose, leading to obvious confusion in the hours and days after discovery.
Imagine a company using security software from more than one vendor. The security staff will get warnings of a hypothetical malware outbreak from these systems using different names to identify the culprit. How can they tell for sure whether this is a single outbreak or, more dangerously, several distinct ones hitting at once?
Youd think then that the US governments CERT Common Malware Enumeration (CME) would have received unanimous backing. It proposes that each instance of a new virus or worm (the scheme will initially exclude other forms of malware) is given a randomly generated number up to 999 to complement its vendor-specific name.
This process will be guided through US-CERT using principles drawn up by an industry committee. When the initial 999 numbers are used up, a digit will be simply added to the possible range of identifiers.
From instance CME-15 is new the name for the worm otherwise known as W32.Zotob.F, Bozori.B, Net-Worm.Win32.Bozori.b, W32/Bozori.worm.b, W32/Zotob-F, WORM_ZOTOB.F, and Win32/Zotob.F!Worm. Vendors can still use their own name as long as they also use the number as a suffix.
Some of the qualifications have raised mildly dissenting voices, however. Only major outbreaks will be given CME numbers to start with, and there is bound to be some negotiation as to what gets this status. The CME could also become burdensome if the number of such events increases in number, especially as other forms of malware are included in its remit.
Anti-virus vendors have started using the designations, but without always making it easy to hunt for viruses using only the CME number. One leading anti-virus company returned nothing when a CME number was entered in its search facility. Anyone cross-checking would still have had to know the vendor-designated name.
Modest though it is too modest for some perhaps CME is better than nothing.