Why VDBs > AV Industry

[This was originally published on the OSVDB blog.]

Remember the recent Microsoft Windows WMF vulnerability that made news? You know, the “Shimgvw.dll SETABORTPROC function crafted WMF arbitrary code execution” issue? This was assigned OSVDB 21987, CVE 2005-4560, CERT VU 181038, BID 16074, FRSIRT ADV-2005-3086, OVAL 1433, SECTRACK 1015416, and Secunia 18255. While the vulnerability has a dozen different tracking numbers, they all correspond to the same issue, and many of them cross reference each other to avoid confusion. This issue is different than the “WMF processing ExtEscape POSTSCRIPT_INJECTION function overflow DoS” or the “WMF processing ExtCreateRegion function overflow DoS”, each identified by unique numbers for many of the VDBs.

Familiar with the CME-24/BlackWorm worm making the rounds? Oh, maybe you know it as W32/Kapser.A@mm? No, how about Worm/KillAV.GR? Maybe Win32/Blackmal.F? No?! Come on.. you have to know it by something? Check this handy list based on the Anti-Virus software you use:

Authentium: W32/Kapser.A@mm
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Microsoft: Win32/Mywife.E@mm
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

Yes, that many names for the same little program. For those that frown upon the VDB industry, at least we have our standards =)

Excellent analysis of the worm: http://www.caida.org/analysis/security/blackworm/

Blog entry that prompted this one: Virus Naming Still a Mess


Leave a Reply

%d bloggers like this: