Variant

A Variant is a virus or worm based on an earlier virus or worm with one or more minor changes. A virus or worm that gains notoriety may eventually have hundreds of variants. Extremely simple viruses such as Vienna may be used as a template for more complex code and therefore have a lot of variants. Script worms and macro viruses such as Laroux, Melissa, Triplicate and Spyki, often have many variants because their code travels with them. Other extremely simple and prolific worms such as Slammer and Witty may have few to no variants because they cause too much disruption to be profitable and/or using them to send a political message would ensure the message is drowned out by the worm's/virus's destructiveness.

Creation of Variants

The author of the original virus or worm may make changes to their original creation. Often, a self-spreading program will contain bugs that inhibit its spreading or destruction ability. Even if the coder is ethical and only sends their code to antivirus vendors, s/he will want to fix the code. Sometimes a coder creates a virus or worm deliberately with a bug that prevents it from being destructive or spreading, but as a second thought creates a bug-free version.

Many first-time virus/worm coders will either disassemble a spreading program or find its source code in some other way in order to get an idea of the kind of coding necessary to create their own self-spreading program at a later date. They may reassemble or compile the source code. Even if no changes were consciously made to the code, the original code may be altered slightly during disassembly, assembly or compilation, producing a mostly similar program to the original, but with a few features that make it distinct from the original. Script kiddies are known to (and may get their name from) take someone else's code, make a few small changes to it and call it their own, giving rise to many variants.

Natural Evolution

Mark Ludwig in his book Computer Viruses, Artificial Life and Evolution suggests that a virus or worm could change more or less naturally. Possible ways they could change would likely be a slight surge or drop in power affecting a computer while the virus or worm is in memory, or slightly damaged disks, producing altered but still functioning viruses and worms. A number of virus/worm coders have experimented with mutation engines, that give their code the ability to change themselves with each generation. More often though, a variant is consciously created by a human creator.

Variant naming

Most variants currently are named with a letter of the alphabet attached as an extension of the family name. Each new variant is assigned the next letter of the alphabet as an extension to the name. For example, the original Melissa is called Melissa.A and the next one is Melissa.B. When Z is reached, but another variant appears, the new variant will be named AA, as is the case of many prolific families of worms, such as Mydoom and Loveletter. There are several families of malware

Before the CARO naming scheme was widely adopted, there were many different schemes for naming a virus variant, including numbers or another name attached after a period. One of the most common (still in use by a few holdouts) is to name the variant after the virus or worm's infection length or file size. Cascade was an example of this with variant names such as Cascade.1704 and Cascade.1701. With the Stoned family it was common for them to be named with an extra name after a period, usually based on text found in or displayed by the virus. Stoned.Monkey and Stoned.Angelina were a couple of prolific variants of this virus. Some, especially very large families prolific viruses, use a combination of these methods. Pixel, Vienna, Jerusalem and Burger use two or more variant naming schemes, sometimes with one variant of the virus (one example being Jerusalem.1808.Anarkia.D).

Sources

Mark Ludwig. "Computer Viruses, Artificial Life and Evolution". American Eagle Publications, Tuscon, Arizona, USA. ISBN 0-929408-07-1

Natasha Lomas. CNet News, Security from A to Z: Virus variants. 2006.11.27

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License