Warning: This page was not updated for months, sorry. I think about some solution (such as a wiki), but for now go to your favourite search engine and/or check the automatically generated Virus Alias Database at http://www.rainingfrogs.co.uk/.
| Clam AntiVirus | Some other products | Notes |
|---|---|---|
| Delwin.1759 | DelWin.1759 (Symantec), Delwin (Hbedv), Delwin (Sophos), Goblin.1759 (Drweb) | |
| Exploit.HTML.Bagle.Q-eml | - | First signature to detect Bagle.Q e-mails. Not used anymore. Update database! |
| Exploit.HTML.Bagle.Q-1to8-eml | - | 8 generic signatures (Exploit.HTML.Bagle.Q-1-eml to Exploit.HTML.Bagle.Q-8-eml) to detect all (hopefully) Worm.Bagle.Q e-mails with Microsoft exploit MS03-032. |
| Exploit.HTML.SomeFool.V | NetSky.V | NetSky.V's mail component which downloads executable |
| Exploit.TCP.Mydoom | ? | Generic signature to detect binaries that try to overtake Mydoom infected computers through its backdoor. |
| Exploit.TCP.Mydoom.B | - | Removed. Update database! |
| Trojan.Bagle.X | ? | |
| Trojan.Hackarmy.N | Troj/Hackarmy-A, Backdoor.Hackarmy.n | Sat, 15 May 2004 13:16:52 +0200 |
| Trojan.Hackarmy.N.2 | Tue, 18 May 2004 15:45:13 +0200 | |
| Trojan.Hackarmy.N.3 | ||
| Trojan.Proxy.W32.Bobax.C | TrojanProxy.Win32.Bobax.c | Tue, 18 May 2004 15:45:13 +0200 |
| Worm.Bagle.A | Bagle.A | |
| Worm.Bagle.A2 | Bagle.C | |
| Worm.Bagle.A2-dll | Bagle.C | DLL loader dropped by Worm.Bagle.A2. |
| Worm.Bagle.A3 | Bagle.D ? | |
| Worm.Bagle.C | - | Old name of Worm.Bagle.E. Update database! |
| Worm.Bagle.D-dll | - | "Detection of backdoor file dropped by Bagle." The Worm.Bagle.A3 one, I think. |
| Worm.Bagle.E | Bagle.E | |
| Worm.Bagle.F | Bagle.F | Actually two very similar versions. I think Sophos calls them W32/Bagle-F and W32/Bagle-G. |
| Worm.Bagle.F-zippwd | Bagle.F and newer | Text and header fragments to catch mails with encrypted zip files created by Bagle worms. |
| Worm.Bagle.F-zippwd-2 | ||
| Worm.Bagle.F-zippwd-3 | ||
| Worm.Bagle.F-zippwd-4 | ||
| Worm.Bagle.F-zippwd-5 | ||
| Worm.Bagle.F-zippwd-6 | ||
| Worm.Bagle.F-zippwd-7 | ||
| Worm.Bagle.H-zippwd-1 | ||
| Worm.Bagle.Gen-1 | - | Generic signature to match possible future variants. Also matches old variants and this name is printed instead of specific versions. |
| Worm.Bagle.Gen-2 | ||
| Worm.Bagle.Gen-unp | ||
| Worm.Bagle.Gen-dll | - | Generic detection of backdoor files dropped by Bagles. |
| Worm.Bagle.Gen-rarpwd | - | Generic signature to detect password protected Bagle RAR files. |
| Worm.Bagle.Gen-vbs | - | Generic signature to detect VBS (Visual Basic Script) component of newer Bagles (introduced in Worm.Bagle.Y). |
| Worm.Bagle.Gen-zippwd | - | Generic signature to detect password protected Bagle zip files. |
| Worm.Bagle.Gen-zippwd-2 | ||
| Worm.Bagle.H | Bagle.H | Kaspersky calls it I-Worm.Bagle.g. |
| Worm.Bagle.I | Bagle.I | Kaspersky calls it I-Worm.Bagle.h. |
| Worm.Bagle.J | Bagle.J | Kaspersky calls it I-Worm.Bagle.i. |
| Worm.Bagle.K | Bagle.K | Kaspersky calls it I-Worm.Bagle.j. |
| Worm.Bagle.M | ? | |
| Worm.Bagle.N | Bagle.N (F-Secure), I-Worm.Bagle.n (Kaspersky), W32.Beagle.M@mm (Symantec), Win32/Bagle.O@mm (RAV) | |
| Worm.Bagle.N-2 | - | Mon, 14 Jun 2004 16:57:52 +0200 Submission notes: Bagle variant found within binary (probably Bagle variant with now cleaned Elkern/FunLove virus). |
| Worm.Bagle.O | ? | |
| Worm.Bagle.P | I-Worm.Bagle.o (Kaspersky) | Mon, 15 Mar 2004 12:31:36 +0100 |
| Worm.Bagle.P.2 | ? | I don't know why another signature. (But it was changed on 2004.04.27 to avoid false positives.) |
| Worm.Bagle.Q | ? | Thu, 18 Mar 2004 11:07:28 +0100. Also used for Worm.Bagle.Y for a short time. |
| Worm.Bagle.R | W32/Bagle.T@mm (F-Prot), W32/Bagle-R (Sophos) | Sun, 21 Mar 2004 04:39:39 +0100 |
| Worm.Bagle.U | Bagle.U (F-Secure), I-Worm.Bagle.s (Kaspersky) | Fri, 26 Mar 2004 10:56:31 +0100 |
| Worm.Bagle.V | Bagle.V | |
| Worm.Bagle.Y | W32/Bagle-W (Sophos), Bagle.Y (F-Secure), I-Worm.Bagle.y (Kaspersky), W32.Beagle.W@mm (Symantec), W32/Bagle.z@MM (McAfee) | Mon, 26 Apr 2004 16:48:09 +0200 (As Worm.Bagle.Q.) |
| Worm.Bagle.Y-vbs | - | VBS component of Worm.Bagle.Y (Worm.Bagle.Y dropper). It was called Worm.Bagle.Q-vbs for a short time. |
| Worm.Bagle.Z | I-Worm.Bagle.z (Kaspersky), W32/Bagle.aa@MM (McAfee) | Wed, 28 Apr 2004 14:26:03 +0200. Also the old name of Trojan.Bagle.X. |
| Worm.Bagle.Z-vbs | - | VBS component of Worm.Bagle.Z. |
| Worm.Bagle.AA-vbs | - | Renamed to Worm.Bagle.Gen-vbs. |
| Worm.Bagle.AB | ? | Sun, 6 Jun 2004 19:45:45 +0200 |
| Worm.Bagle.AC | ? | Fri, 11 Jun 2004 20:44:36 +0200 |
| Worm.Bugbear.C | Worm/Bugbear.C.1, Worm/BugBear.B.dll (Hbedv), Win32.HLLM.Bugbear.3 (Drweb), W32/Bugbear-E (Sophos) | |
| Worm.Bugbear.E | I-Worm/Bugbear.D (AVG), Win32.HLLM.Bugbear.4 (Drweb) | Tue, 27 Apr 2004 17:43:12 +0200 |
| Worm.Bugbear.F | I-Worm.Tanatos.f | Wed, 19 May 2004 14:24:13 +0200 |
| Worm.Cidra.D | Cidra.D | According to F-Secure this is not a worm but a trojan. |
| Worm.Cjdra.A | - | Old name of Worm.Cidra.D. Update database! |
| Worm.Gibe.F | Swen.A aka Gibe.F | |
| Worm.Gibe.F.UPX.2 | Swen.B aka Gibe.F | |
| Worm.Korgo.H | W32.Korgo.H (Symantec), Win32.Lsabot (Drweb) | Tue, 8 Jun 2004 03:09:07 +0200 |
| Worm.Korgo.J | Win32.Lsabot (Drweb), Win32.Worm.Korgo.1.Gen (Bitdefender), Worm.Win32.Padobot.gen (Kaspersky) | Thu, 17 Jun 2004 03:21:21 +0200 |
| Worm.Korgo.N | ? | Tue, 22 Jun 2004 14:19:37 +0200 |
| Worm.Lentin.A | - | Old name of Worm.Yaha.A. Update database! |
| Worm.Lovgate.T | W32.Lovgate.W@mm (Symantec) ? | Mon, 17 May 2004 22:08:39 +0200 |
| Worm.Lovgate.V | W32.Lovegate.R@MM (Symantec), Worm/Lovgate.V (Hbedv), W32/Lovgate-V (Sophos) | Wed, 7 Apr 2004 04:37:06 +0200 |
| Worm.Lovgate.W-1 | ? | "Variant of Lovgate. Some of the files dropped by this virus is detected as Worm.Lovegate.Y." |
| Worm.Lovgate.W-1-dll | ||
| Worm.Mydoom.C.2 | I-Worm.Mydoom.c (Kaspersky), Worm/Mydoom.C.2 (Hbedv), Win32.HLLM.MyDoom.based (Drweb) | Tue, 25 May 2004 10:49:09 +0200 (Possibly F-Secure's Mydoom.K.) |
| Worm.Mydoom.E.UPX | - | Old name of Worm.Mydoom.F. Update database! |
| Worm.Mydoom.E.UPX-dll | - | Old name of Worm.Mydoom.F-dll. Update database! |
| Worm.Mydoom.F | Mydoom.F | This is the variant that deletes files and attacks www.riaa.com. |
| Worm.Mydoom.F-dll | Mydoom.F | This is the DLL file dropped by Worm.Mydoom.F in %windir%\system32. |
| Worm.Mydoom.G | Mydoom.G | |
| Worm.Mydoom.G-dll | Mydoom.G | This is the DLL file dropped by Worm.Mydoom.G. |
| Worm.Mydoom.Gen-1 | - | Generic signature to match possible future variants. |
| Worm.Mydoom.Gen-2 | ||
| Worm.Mydoom.Gen-unp | ||
| Worm.Mydoom.H | Mydoom.H | |
| Worm.Mydoom.H-dll | Mydoom.H | This is the DLL file dropped by Worm.Mydoom.H. |
| Worm.Mydoom.I | - | Old name of Worm.Sober.D. Update database! (At the time of writing no real Mydoom.I existed.) |
| Worm.Mydoom.J | w32/mydoom.j@mm (McAfee), W32/Bugbear-D (Sophos) | |
| Worm.Mydoom.N | W32.Evaman.C@mm (Symantec) | Reported by Robert Fleming. |
| Worm.Nyxem | I-Worm.Nyxem (Kaspersky), W32.Blackmal@mm (Symantec) | More aliases: Mywife, Hunchi, Blueworm, Blackworm |
| Worm.Nyxem.B | I-Worm.Nyxem.b (Kaspersky), W32.Blackmal.B@mm (Symantec) | |
| Worm.Plexus.A | Worm/Plexus.A (Hbedv), W32/Dumaru-AK (Sophos), Trojan.MulDrop.841 (Drweb), BackDoor.Dumaru (Drweb) | A worm and its backdoor. |
| Worm.Plexus.B | I-Worm.Plexus.b (Kaspersky) | Submitted as W32.Explet.a@mm. |
| Worm.Sasser.A | Sasser.A | 01-may-2004 13:02 +000 |
| Worm.Sasser.B | Sasser.B | 2004.05.03 20:51 GMT |
| Worm.Sasser.D | Sasser.D | 03-May-2004 18:43 +000 |
| Worm.SCO.A | Mydoom.A, Novarg, Mimail.R, Win32.MMail.A, W32.Shimg | |
| Worm.SCO.A-dam | - | Same as Worm.SCO.A. Update database! |
| Worm.Sober.D | Sober.D | |
| Worm.Sober.F | Sober.F, I-Worm.Vb.C | |
| Worm.Sober.G | I-Worm.Sober.g | Fri, 14 May 2004 22:48:11 +0200 |
| Worm.Sober.H | W32.Sober.H@mm (Symantec), Sober.H (F-Secure) | Sun, 13 Jun 2004 02:27:21 +0200 |
| Worm.SomeFool | NetSky.B aka Moodown.B | Reportedly also printed for NetSky.A. |
| Worm.SomeFool.B | NetSky.C aka Moodown.C | Packed with Petite |
| Worm.SomeFool.B.2 | NetSky.C aka Moodown.C | Packed with UPX |
| Worm.SomeFool.B-petite | - | Old name of Worm.SomeFool.D. Update database! |
| Worm.SomeFool.D | NetSky.D aka Moodown.D | |
| Worm.SomeFool.E | NetSky.E | |
| Worm.SomeFool.F | NetSky.F | |
| Worm.SomeFool.Gen-1 | - | Generic signature to match possible future variants. Also matches old variants and this name is printed instead of specific versions. Variants detected by Gen-1 include NetSky.D and variants detected by Gen-2 include NetSky.B. |
| Worm.SomeFool.Gen-2 | ||
| Worm.SomeFool.Gen-unp | ||
| Worm.SomeFool.I | I-Worm.NetSky.i (Kaspersky), W32/Netsky-J (Sophos), Win32/Netsky.K@mm (RAV), Win32.HLLM.Netsky.22016 (DrWeb) | Masked by generic signature. (Or not?) |
| Worm.SomeFool.K | I-Worm.NetSky.k (Kaspersky) | |
| Worm.SomeFool.L | W32/Netsky-L (Sophos) | |
| Worm.SomeFool.M | W32/Netsky-M | |
| Worm.SomeFool.N | I-Worm.NetSky.o (Kaspersky), WORM_NETSKY.N (Trend Micro) | |
| Worm.SomeFool.O | I-Worm.NetSky.p (Kaspersky) | |
| Worm.SomeFool.P | Netsky.P, I-Worm.NetSky.q (Kaspersky) | Sun, 21 Mar 2004 16:38:56 +0100 |
| Worm.SomeFool.P-dll | ||
| Worm.SomeFool.Q | NetSky.Q | |
| Worm.SomeFool.Q-2 | Worm/NetSky.Q (Hbedv) | |
| Worm.SomeFool.R | W32/Netsky.r@MM (McAfee), W32/Netsky-R (Sophos), Worm/NetSky.S.1 (Hbedv), Win32.HLLM.Netsky.based (Drweb) | |
| Worm.SomeFool.R.2 | I-Worm.NetSky.r | |
| Worm.SomeFool.X | I-Worm/Netsky.X (GRISoft), W32/Netsky.x@MM (McAfee), W32.Netsky.X@mm (Symantec), Netsky.X@mm (Norman), W32/Netsky.X.worm (Panda), WORM_NETSKY.X (Trend Micro), Worm/NetSky.X (Hbedv), I-Worm.NetSky.y (Kaspersky), W32/Netsky-Y (Sophos) | Tue, 20 Apr 2004 12:27:03 +0200 (first as Worm.SomeFool.Y) |
| Worm.SomeFool.Y | NetSky.Y | Tue, 20 Apr 2004 20:13:10 +0200 (Also pevious name of Worm.SomeFool.X.) |
| Worm.SomeFool.Z | NetSky.Z | Thu, 22 Apr 2004 00:25:56 +0200 |
|
Worm.SomeFool.X-msg Worm.SomeFool.Y-msg Worm.SomeFool.Z-msg-1 Worm.SomeFool.Z-msg-2 Worm.SomeFool.Z-msg-3 Worm.SomeFool.Z-msg-4 Worm.SomeFool.Z-msg-5 Worm.SomeFool.Z-msg-6 |
- | Harmless text files dropped by the corresponding worm. |
| Worm.SomeFool.AA | Worm/Netsky.AA (Hbedv), W32/Netsky-AA (Sophos), Win32.HLLM.Netsky.17408 (Drweb) | Tue, 27 Apr 2004 17:43:12 +0200 |
| Worm.SomeFool.AB | Netsky.AB | Wed, 28 Apr 2004 10:51:00 +0200 |
| Worm.SomeFool.AC | Netsky.AC | 03-May-2004 11:03 +000 |
| Worm.Tibbo | W32/Misodene.a@MM (McAfee), Win32.HLLM.Generic.289 (Drweb) | Tue, 27 Apr 2004 16:12:26 +0200 |
| Worm.Tibbo-zippwd | - | Detects password protected zip file containing Worm.Tibbo. |
| Worm.VB.C | - | Renamed to Worm.Sober.F. Update database! |
| Worm.Yaha.A | Yaha.A aka Lentin.A | |
| Worm.YoursID | Bagle.B |
There is a supplemental Bagle table, too.
Additions and corrections can be sent to nfl <at-sign> nfllab.com.
Last notes:
Yes, I know that worms are not viruses but it's simpler to write.
If you don't see the name of a virus here, it doesn't mean that ClamAV can't detect it.
The acronym "aka" means "also known as".