Common Malware Enumeration (CME) - News & Events (2005 Archive)

News & Events (2005 Archive)

December 20, 2005

CME List Enhanced with Links to Vendor Aliases

The CME List has been enhanced with links to vendor aliases for each CME identifier (CME-ID) included on the list. Users can now review a CME-ID and then follow the url for one or more of the vendor aliases to retrieve additional data about the threat and/or, depending on the vendor, fix information.

For example, in addition to a description of the malware and the date the identifier was assigned, the CME List entry for CME-681 now includes links for the following aliases:

CA: Win32.Sober.W
F-Secure: Sober.Y
Kaspersky: Email-Worm.Win32.Sober.y
McAfee: W32/Sober@MM!M681
Norman: W32/Sober.AA@mm
Panda: W32/Sober.AH.worm
Sophos: W32/Sober-Z
Symantec: W32.Sober.X@mm
Trend Micro: WORM_SOBER.AG

Aliases on the CME Web site are provided by members of the CME Editorial Board and CME Sample Redistribution Group. Visit the CME List to review all CME-IDs and aliases.

CME to Host Booth at Homeland Security for Networked Industries 2006 Conference & Expo in January

MITRE is scheduled to host a CME/OVAL/CVE exhibitor booth at Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo on January 9-11, 2006 at Walt Disney World Resort, in Orlando, Florida, USA. The conference is "the first of its kind to encourage cross-industry collaboration on network security issues pertinent to America's critical infrastructures [or those] networks which serve as the backbone for daily life for the American public." It is "an opportunity to listen and network with IT decision makers from a variety of networked industries including utilities, telecom and transportation as well as government."

Organizations listed on the Products and Services Including CME Identifiers page will also be exhibiting. Please stop by Booth 117, or any of these booths, and say hello.

December 1, 2005

Trend Micro, Inc. Includes CME Identifiers in Virus Encyclopedia and Alerts

Trend Micro, Inc. issued a virus alert on November 21, 2005 that referenced CME-681. Numerous other alerts in the Trend Micro Virus Encyclopedia also reference CME identifiers. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

Trend Micro is a founding member of the CME Editorial Board and the CME Sample Redistribution Group.

Panda Software International S.L.'s Virus Encyclopedia Including CME-IDs as Aliases

CME identifiers are included as aliases in Panda Software International S.L.'s free Virus Encyclopedia. CME-681 was included as an alias for the W32/Sober.AH.worm. Numerous other entries in the encyclopedia also include CME-IDs. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

Panda Software is a member of the CME Editorial Board and the CME Sample Redistribution Group.

Hong Kong CERT Includes CME Identifier in Virus Alert

Hong Kong CERT issued a virus alert on November 23, 2005 that referenced CME-681. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

Counterpane Internet Security, Inc. Includes CME Identifier in Virus Alert

Counterpane Internet Security, Inc. issued a virus alert on November 22, 2005 entitled "CME 681 - Sober Virus Spoofing FBI and CIA" that referenced CME-681. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

Proland Software Includes CME Identifier in Virus Alert

Proland Software issued a virus alert on November 21, 2005 that referenced CME-681. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

CME Identifier Included in Article about Computer Worm on AXcess News

CME was mentioned in a November 24, 2005 article on AXcess News entitled "Computer Worm Posing as Fake FBI E-Mail." CME is mentioned in the article as one of the aliases assigned to the threat: "The Sober worm is also known as CME-681, WORM_SOBER.AG [Trend Micro], W32/Sober-{X, Z} [Sophos], Win32.Sober.W [Computer Associates], Sober.Y [F-Secure], W32/Sober@MM!M681 [McAfee], W32/Sober.AA@mm [Norman]."

Details about CME-681 and all CME identifiers are available on the CME List.

CME Identifier Included in Article about Sober Worm on ZDNet News

CME was mentioned in a November 23, 2005 article on ZDNet News entitled "Latest Sober threatens e-mail gateways." CME is mentioned as follows: "While the worm variant is named differently by the security vendors, the Common Malware Enumeration system, launched last month, labels the new threat CME-681."

Details about CME-681 and all CME identifiers are available on the CME List.

November 25, 2005

New CME Identifier Released: CME-681

CME-681 was assigned on November 22, 2005. Aliases for this threat include Win32.Sober.W; Sober.Y; Email-Worm.Win32.Sober.y; W32/Sober@MM!M681; W32/Sober.AA@mm; W32/Sober.AH.worm; W32/Sober-Z; W32.Sober.X@mm; and WORM_SOBER.AG. Visit the CME List for a complete description of this and other CME identifiers.

Notification of new CME identifiers is available from our RSS feed. Subscribe to the feed by clicking on the RSS or XML buttons located in the upper-right corner of the CME List page.

November 16, 2005

New CME Identifier Released: CME-157

CME-157 was assigned on November 15, 2005. Aliases for this threat include Email-Worm.Win32.Sober.u; W32/Sober.t.dr; W32.Sober.V@mm; W32/Sober-U; and Win32.Sober.Q. Visit the CME List for a complete description of this and other CME identifiers.

Notification of new CME identifiers is available from our RSS feed. Subscribe to the feed by clicking on the RSS or XML buttons located in the upper-right corner of the CME List page.

New CME Identifier Released: CME-589

CME-589 was assigned on November 10, 2005. Aliases for this threat include Win32.OutsBot.U; Breplibot.b; Backdoor.Win32.Breplibot.b; W32/Brepibot!CME-589; W32/Ryknos.A; Bck/Ryknos.A; Troj/Stinx-E; Backdoor.Ryknos; and BKDR_BREPLIBOT.C. Visit the CME List for a complete description of this and other CME identifiers.

Notification of new CME identifiers is available from our RSS feed. Subscribe to the feed by clicking on the RSS or XML buttons located in the upper-right corner of the CME List page.

CME Introduces Free Newsletter

CME is now offering a free e-newsletter that you can receive directly in your email mailbox. "CME-Announce" will provide updates of new CME identifiers for breaking threats. The newsletter will also include general news about CME such as new Web site features, upcoming conferences, CME in the news, etc., depending on the issue.

Messages with new CME identifiers will be sent as they occur, while messages focusing only on general news will be sent infrequently, once a week or less. Online sign-up is available on the Free Newsletter page. View our Privacy Policy.

CME Mentioned in Article about New Worm on TechBuilder.org

CME was mentioned in an October 6, 2005 article on TechBuilder.org entitled "New Version of Sober Worm Slams Users." CME is mentioned as follows: "In a side note, the new Sober made history as the first piece of malicious code to be assigned a CME (Common Malware Enumeration) identifier as it hit the Internet: "CME-151." The CME identifying process is an attempt by US-CERT and private anti-virus vendors to reduce the confusion over the multiple names many worms and viruses receive."

CME Main Topic of Article in DAWN Sci-Tech World

CME was the main topic of a November 3, 2005 article in the Sci-Tech World section of DAWN, Pakistan's most widely circulated English language newspaper, entitled "Tips and tricks: Worming it out." The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, notes that CME is sponsored by US-CERT, mentions members of the CME Editorial Board, discusses the role of the CME Sample Redistribution Group, and provides a link to the CME Web site.

The author states: "It is highly likely that members of the information security community will gradually adopt CME initiative to streamline the communication among themselves, the media and the public. As support with open source community catching up, CME has got strong academic uses as well. With Pakistan joining the net bandwagon, there's much emphasis on providing secure communication channels and use of CME will surely help professionals particularly those involved in vulnerability analysis."

The article was written by Nizar Diamond Ali. CME and US-CERT are sponsored by the U.S Department of Homeland Security.

Launch of CME Main Topic of Article in Network Computing

CME was the main topic of an October 6, 2005 article on Network Computing's Systems Management Pipeline entitled "New Worm Naming Scheme Aims To Cut Confusion." The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, cites CME-151, notes that CME is sponsored by US-CERT, mentions members of the CME Editorial Board, and provides a link to the CME Web site. The article also includes a quote about CME from Mark Harris, the director of CME Editorial Board member Sophos' research centers, who states: "[CME] will benefit customers in securing their computers from malware attack without disrupting rapid virus analysis."

MITRE Hosts CME Booth at CSI 2005

MITRE hosted a CME/CVE/OVAL exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, at the Marriott Wardman Hotel in Washington, D.C., USA. The conference exposed CME, CVE, and OVAL to information security and network professionals from industry, academia, and government.

Common Vulnerabilities and Exposures (CVE) is a dictionary of common, standardized names for publicly known information security vulnerabilities and exposures. Open Vulnerability and Assessment Language (OVAL) is a common language for security experts to discuss the technical details of how to identify the presence of vulnerabilities and configuration issues on computer systems using Community Forum-developed XML schemas and definitions. MITRE Corporation maintains and manages the CVE, OVAL, and CME projects, all of which are funded by US-CERT at the U.S. Department of Homeland Security.

Visit the CME Calendar page for information about this and other upcoming events.

October 28, 2005

CME List Now Available as an RSS Feed

The CME identifiers on the CME List are now available as an RSS feed. When new CME identifiers are assigned the information will be published on the CME Web site and also distributed directly to subscribers of the RSS feed. You may subscribe to the feed by clicking on the RSS or XML buttons located in the upper-right corner of the CME List page.

New CME Editorial Board and Sample Redistribution Group Member

Panda Software International S.L. has joined the CME Editorial Board and the CME Sample Redistribution Group.

Sophos Plc.'s Virus Analyses Database Including CME-IDs as Aliases

CME identifiers are included as aliases in Sophos Plc.'s free Sophos virus analyses database. CME-164 was included as an alias for W32/Zotob-B. Numerous other entries in the database also include CME-IDs. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

Sophos is a founding member of the CME Editorial Board and the CME Sample Redistribution Group.

Fortinet Inc.'s Virus Encyclopedia Including CME-IDs as Aliases

CME identifiers are included as aliases in Fortinet Inc.'s free Fortiguard Center Virus Encyclopedia. CME-637 was included as an alias for W32/IRCBot.ET-bdr. Numerous other entries in the encyclopedia also include CME-IDs. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

F-Secure Corporation Includes CME Identifier in Virus Alert

F-Secure Corporation issued a virus definition on October 6, 2005 that referenced CME-151. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

F-Secure is a founding member of the CME Editorial Board and the CME Sample Redistribution Group.

Norman ASA Includes CME Identifier in Virus Alert

Norman ASA issued a virus definition on October 6, 2005 that referenced CME-151. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

Norman is a founding member of the CME Editorial Board and the CME Sample Redistribution Group.

Cert-IST Includes CME Identifiers in Security Advisories

Cert-IST (Computer Emergency Response Team - Industry, Services and Tertiary) issued a security advisory on August 25, 2005 that referenced CME-243, CME-164, and CME-15. Other Cert-IST advisories also include CME identifiers. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products and services.

MITRE to Host CME Booth at 32nd Annual CSI Conference

MITRE is scheduled to host a CME/OVAL/CVE exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, at the Marriott Wardman Hotel in Washington, D.C., USA. The conference will expose CME, OVAL, and CVE to information security and network professionals from industry, academia, and government.

Visit the CME Calendar page for information about this and other upcoming events.

Norman ASA Press Release Announces Participation in CME and Inclusion of CME-IDs in their Virus Descriptions

Norman ASA issued a press release on October 13, 2005 entitled "Norman works for increased public understanding of IT security threats." The release announces that Norman has joined the "Common Malware Enumeration (CME), an international organisation that works for common definitions of new virus threats in order to reduce public confusion during malware outbreaks." The release describes what CME is and isn't and mentions the problems that use of CME's common identifiers will solve.

In addition, the release states "Norman has already started using the CME classification when analyzing [viruses]. This happened last week during the outbreak of Sober." A url for a Norman virus description that referenced CME-151 was also provided.

Norman is a founding member of the CME Editorial Board and the CME Sample Redistribution Group. CME and US-CERT are sponsored by the U.S Department of Homeland Security.

McAfee, Inc. Press Release Announces Participation in CME Initiative

McAfee, Inc. issued a press release on October 5, 2005 entitled "McAfee, Inc. Supports Common Malware Enumeration Initiative to Help Alleviate Problems With Malware Naming." The release announces that McAfee has joined the "CME Editorial Board to help bring the CME's concept to maturity and to help expand its reach to other members of the anti-malware industry." The release describes what CME is and isn't, notes that CME is sponsored by US-CERT, and mentions the problems that use of CME's common identifiers will solve.

The release also includes a quote from Jimmy Kuo, research fellow for McAfee's Anti-Virus and Vulnerability Emergency Response Team (AVERT), who states: "During the outbreak process it can be difficult for anti-virus companies to stay coordinated with virus names, and, as a result, threats are given a variety of names and variant designations. This is even harder on IT administrators, because their products may be alerting them to threats with completely different names than what another security vendor may be calling them. The CME initiative will help alleviate this problem with the use of identifiers, so even if a name is slightly different between various vendors, the identifier will match."

McAfee is a founding member of the CME Editorial Board and the CME Sample Redistribution Group. CME and US-CERT are sponsored by the U.S Department of Homeland Security.

Sophos Plc. Press Release Announces Appointment to CME Editorial Board and Inclusion of CME-IDs in the Sophos Virus Analyses Database

Sophos Plc. issued a press release on October 5, 2005 entitled "Sophos joins drive to cure virus-naming confusion." The release announces that Sophos has joined the "editorial board for the Common Malware Enumeration (CME) initiative, an industry group whose aim is to provide unique, common identifiers to new malware threats."

The release describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, notes that CME is sponsored by US-CERT, describes the role of the CME Editorial Board, and includes a link to the CME Web site. The release also states "For every virus identified by CME, Sophos will display the CME reference in its extensive database of virus analyses." Also included is a quote from Mark Harris, director of SophosLabs, Sophos's network of virus and spam research centers, who states: "We encourage more anti-virus vendors to participate in this initiative, which will benefit customers involved in securing their computers from malware attack without disrupting the serious work of rapid virus analysis and protection."

Sophos is a founding member of the CME Editorial Board and the CME Sample Redistribution Group. CME and US-CERT are sponsored by the U.S Department of Homeland Security.

MITRE Hosts CME Booth at FIAC 2005

MITRE hosted a CME/OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2005, October 25–26, 2005, at the University of Maryland University College in Adelphi, Maryland, USA. The conference exposed CME, OVAL, and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

Visit the CME Calendar page for information about this and other upcoming events.

Search Feature Added to CME Web Site

A Search the CME Web Site feature has been added to the main menu of the CME Web site to assist users. You may search the site by CME-ID or keyword(s).

October 12, 2005

FrSIRT References CME Identifiers in Security Alerts

French Security Incident Response Team (FrSIRT) issued a security alert on August 14, 2005 that referenced CME-243. Other FrSIRT alerts also include CME identifiers. See the Products and Services Including CME Identifiers page for a complete list of the organizations that are including or have included CME identifiers in their anti-virus and information security products, services, Web sites, alerts, encyclopedias, etc.

MITRE to Host CME Booth at FIAC 2005

MITRE is scheduled to host a CME/OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2005, October 25-26, 2005, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose CVE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

Visit the CME Calendar page for information about this and other upcoming events.

'Calendar of Events' Page Added to CME Web Site

A Calendar of Events page has been added to the News section of the CME Web site. The calendar will note the conferences and other events at which CME will be delivering presentations, participating on panel discussions, exhibiting, etc. Each listing will include the event name with URL, date of the event, location, and a description of our activity at the event.

CME Presents Briefing and Hosts BoF at Virus Bulletin Conference on October 5th

MITRE presented a briefing about CME and hosted a Birds of a Feather (BoF) meeting at the Virus Bulletin Conference on October 5th, 2005, at The Burlington, in Dublin, Ireland. The conference, which ran October 5th-7th, exposed CME to "dedicated anti-virus researchers and security professionals from government and military organizations, legal, financial and educational institutions, and some of the world's largest international corporations." The briefing and BoF both focused on the announcement about the public launch of the CME initiative.

CME Main Topic of Article in Information Week

CME was the main topic of an October 6, 2005 article in Information Week entitled "New Worm Naming Scheme Aims To Cut Confusion" The article notes that CME is sponsored by US-CERT, describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, cites CME-151, and mentions several members of the CME Editorial Board. The article also includes a quote about CME from Mark Harris, the director of CME Editorial Board member Sophos' research centers, who states: "[CME] will benefit customers in securing their computers from malware attack without disrupting rapid virus analysis."

CME Main Focus of Article on CXOtoday.com

CME was the main topic of an October 6, 2005 article on CXOtoday.com entitled "Leading Vendors Adopt Common Virus Nomenclature." The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, describes CME identifiers, details the process for assigning CME identifiers, notes that CME is sponsored by US-CERT, describes MITRE Corporation and its role, lists the members of the CME Editorial Board, and provides a link to the CME Web site.

Launch of CME Main Topic of Article in Sans NewsBites

CME was the main topic of a brief article entitled "Common Malware Enumeration Initiative to be Launched in October" in the September 27, 2005 issue of SANS NewsBites. The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, and notes that CME is sponsored by US-CERT.

CME Main Topic of Article on All Headline News

CME was the main topic of a September 27, 2005 article on All Headline News entitled "Computer Malware To Be Unveiled." The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, and notes that CME is sponsored by US-CERT.

CME Main Focus of Article on CNET.com

CME was the main topic of a September 23, 2005 article on CNET.com entitled "This week in security." The article mentions the problems that use of CME's common identifiers will solve and discusses some examples.

October 5, 2005

MITRE Corporation Issues Press Release Announcing CME

The MITRE Corporation issued a press release entitled "Common Malware Enumeration Initiative Now Available" on October 5, 2005 formally announcing the launch of the CME initiative. The release describes what CME is and isn't, discusses the CME Editorial Board, and mentions the address of the CME Web site. A CME Press Q&A is also available.

CME is sponsored by US-CERT at the U.S. Department of Homeland Security. MITRE maintains CME and provides neutral guidance to the CME Sample Redistribution Group and CME Editorial Board throughout the process to ensure that CME serves the public interest.

CME to Present Briefing and Host BoF at Virus Bulletin Conference on October 5th

MITRE is scheduled to present a briefing about CME and host a Birds of a Feather (BoF) meeting at the Virus Bulletin Conference on October 5th, 2005, at The Burlington, in Dublin, Ireland. The conference, which runs October 5th-7th, will expose CME to "dedicated anti-virus researchers to security professionals from government and military organizations, legal, financial and educational institutions, and some of the world's largest international corporations." The briefing and BoF will focus on the announcement about the public launch of the CME initiative.

Article in Virus Bulletin Announces Public Launch of CME Initiative

An article entitled "The Common Malware Enumeration Initiative" describing CME was published in the September 2005 issue of the Virus Bulletin. The article serves as the public launch of CME and describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, describes CME identifiers, details the process for assigning CME identifiers, lists the members of the CME Editorial Board, and advocates the adoption of CME by the anti-virus and information security communities for the benefit of the public. The article will also be presented as a briefing topic at the upcoming Virus Bulletin Conference on October 5th-7th, 2005 in Dublin, Ireland.

CME Main Focus of Article on SearchSecurity.com

CME was the main topic of a September 29, 2005 article on SearchSecurity.com entitled "Will US-CERT bring sanity to virus naming?" The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, notes that CME is sponsored by US-CERT, and mentions members of the CME Editorial Board. The article also includes a quote about the potential for CME from Lenny Zeltser, practice leader at New York-based Gemini Systems LLC and a volunteer handler for the Bethesda, Md.-based SANS Internet Storm Center, who states: "If CME lives up to its potential, security practitioners will save valuable time by relying on a single CME tag to identify a particular malicious program across multiple anti-virus databases." CME and US-CERT are sponsored by the U.S Department of Homeland Security.

CME Main Topic of Article on CNET.com

CME was the main topic of a September 22, 2005 article in CNET.com entitled "Name that worm—plan looks to cut through chaos." The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, cites CME-540 and describes the threat it refers to, provides an overview of how CME identifiers are assigned, notes that CME is sponsored by US-CERT, and describes the role of the CME Editorial Board and lists several of the organizations participating.

The article also includes a quote from CME Team Member Desiree Beck describing how CME works: "A CME identifier should get assigned within hours of a new worm or virus starting to spread. Security vendors then should include the number in their products and link from their advisories to the information on the CME Web site, which is set to debut in early October. The proposal is for security companies to add the CME tag to the threat names. An alert popping up on a user's screen could [read] like this: "Zotob.E!CME-540 detected."

CME and US-CERT are sponsored by the U.S Department of Homeland Security.

Launch of CME Main Topic of Article in eWeek

CME was the main topic of a September 22, 2005 article in eWeek entitled "US-CERT Malware Naming Plan Faces Obstacles." The article describes what CME is and isn't, mentions the problems that use of CME's common identifiers will solve, and lists several members of the CME Editorial Board. The article also includes a quote from MITRE CME Project Leader Julie Connolly who states: "MITRE has created a secure server to which participating anti-virus companies pass their discoveries, and will launch a CME Web site on [Oct. 5] that will list about [26] viruses with CME numbers. Initially, only high-impact viruses and worms will receive CME numbers, though MITRE may extend CME numbers to lower-level threats once the program is up and running.