The WildList Organization International





In the Wild Virus Descriptions

Frequently Asked Questions

Report a Virus Incident

Product Testing


About Us

In the News

Our Code of Conduct


Tell us what you think

If you don't see your question listed here, mail We will try to respond as soon as we can, but remember we are a volunteer group and may not be able to respond immediately. We try to incorporate new questions into this FAQ periodically.

What is The WildList, and where did it come from... ?

Over the years, antivirus expert Joe Wells has collected reports of which viruses have been found spreading in the real world. He decided to create a list of these viruses and asked other researchers to verify or challenge the viruses on the list and offer changes. The first list was developed in July of 1993 and the first official list was published in November of 1993. The list was made available to the public, free of charge, in hopes to offset some of the 'numbers games' being played by some antivirus product developers. That list was eventually called The Wildlist.

In 1995 and 1996, the Wildlist went through some major refinements and standardization. First, it began to be generated from a database with comprehensive information on each virus. Second, in order to help maintain the Wildist's integrity, Dr. Richard Ford agreed to act as the WildList's ombudsman. Third, a Board of Directors was chosen with a view to future development of the Wildlist. With these changes, refinements, and additions, The WildList Organization International was birthed.

Why Capital L and Capital W? This was Sarah's construction to differentiate The WildList from various "wildlists" dealing with everything from animals to newsgroups. She had seen the idea used on some AntiVirus products and thought it would work well for The WildList. Thus, "WildList" and "In the Wild" were specifically created to set The WildList apart from all imitations. These terms became part and parcel of the way The WildList way.

The WildList was a valuable resource, but grew to be more valuable with the creation of WildCore. WildCore is a set of replicated virus samples that represents the real threat to computer users. The set was formally made available to ICSA and Virus Bulletin for testing purposes in 1995.

The WildList has grown into the world's foremost authority on which viruses users should really be concerned with. Used as a basis for testing antivirus software by proficient and competent testing authorities, The Wildlist remains available free to computer users worldwide. We answer thousands of queries ever year, and help provide a reality check for the antivirus industry!

The list is created each month by a team of volunteers, using reports from over 70 antivirus researchers and corporations world-wide.

On the 15th day of each month, the formal WildList is extracted from all verified reports, and published at Archives of past WildLists are available in the archive.

Back to Top

What exactly is 'In the Wild'?

When a virus is reported to us by two or more Reporters, it's a pretty good indication that the virus is out there, spreading, causing real problems to users. We consider such a virus to be 'In the Wild'.

As far as where is 'out there', we like the definition given by Paul Ducklin of Sophos, PLC in his paper 'Counting Viruses':

For a virus to be considered In the Wild, it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users.
This means viruses which merely exist but are not spreading are not considered 'In the Wild'.

Similarly, for a trojan to be considered "In the Wild", it must be found on the computers of unsuspecting users, in the course of normal day-to-day operations.

Back to Top

Why don't you include viruses from vX sites?

See the last question. For a virus to be spreading In the Wild, it must be observed in the real world, where their normal day-to-day operations take place. While there are viruses on vX sites, and viruses posted to the Internet, there is no evidence to support the theory that such posts are positively correlated with virus incidents in the real world. A paper by one antivirus researcher suggests such research needs to take place, to quantify the threat posed by such viruses. If you're interested in discussing this issue, contact

You want antivirus software that can protect you from the real threat. By making sure the tests you rely on show the performance of detection and disinfection of viruses which are actually out there In the Wild, you are helping keep the virus problem under control.

Back to Top

A lot of the Reporters seem to support the same vendor. How do you keep the same virus incident from being counted twice?

It is true that many of our Reporters support the same vendor, but this is simply not a problem when it comes to interpreting The WildList data. It helps to understand the process by which each month's WildList is collated.

One important step in our quality control process is verification of reports to ensure no duplicate reports slip through. Any time we receive a report of any given virus from two or more Reporters, we verify the reports with each individual reporters. Sometimes this is done via e-mail, sometimes with a telephone call; in all cases, reports of what might be the same virus incident are followed up on personally before any virus is added to The WildList.

In this way, we make sure that cross-reporting rarely (if ever) occurs. If a virus appears on The WildList, you can rest assured it has been reported by two or more of our reporters and that these reports represent separate incidents.

Back to Top

You have different names for the same viruses. How do I know which is the correct name?
I don't care what it's called -- I just want to get rid of it!'

There is no 'correct' name for a virus at this time. In most cases, these are names which follow the naming scheme created by Alan Solomon, Fridrik Skulason and Vesselin Bontchev. This is sometimes referred to as the CARO naming scheme. However, this is no more 'right' or 'wrong' than using any other set of names. As all of the vendors are not CARO members, they may elect to not use CARO names for various reasons. We will use these names when it is in the best interest of the users for us to do so. We include aliases for viruses which may be called different names by different vendors. You can read more about our views on naming here.

We agree, getting rid of a virus is important. You can help make that happen by making sure that the tests you rely on test the detection and disinfection of the viruses which are In the Wild.

Back to Top

You only put out a list once a month. How can we find out about viruses in the meantime?

You are absolutely correct in wanting to keep up to date with the virus problem more often than 'once a month'. Viruses spread every day and no one can afford to wait a month in the case of an important new virus outbreak. For this reason we encourage you to develop a good relationship with your vendor and practice safe hex! Keep your antivirus software up to date.

We know that you also want to know about new viruses which may affect you. In addition to monitoring your vendor's WWW sites for relevant developments, and obtaining the monthly WildList from us, keep an eye on our new Dynamic Wildlist. What's that? The Dynamic WildList is a new service, which allows Reporters to tell us about new viruses the moment they are reported! That information is made available to you shortly thereafter.

We recognize that this kind of information is important to you, and are pleased to announce this addition to our services. Recently previewed at Virus Bulletin, this automated system will enable you to check for virus activity daily. You can also check our alerts section where any news of an urgent nature will be published. UPDATE: due to circumstances beyond our control, the online system is still in progress. Shane Coursen has developed a WWW site where he plans to debut online reporting.

Back to Top

What is the purpose of the Supplemental list?

Sometimes viruses are reported by one person, and they go away, never to be seen again. A record of these one-time-sightings viruses is kept within the archives of The WildList Organization's Supplemental Lists. While these viruses are not spreading in the real world, they may be of interest to the individual user.

Of course, if one of these viruses is reported by a second Reporter, it is moved to the Main List with the rest of the viruses which are still being observed In the Wild. You will often find short-lived macro viruses listed on the Supplemental list.

Back to Top

Where can I find descriptions of the virus I have?

Visit the In the Wild virus description section.

Back to Top

Why doesn't the virus I have show up on The WildList?

Not all of the viruses occuring in the world are automatically listed on The WildList. Only those viruses that meet the definition of 'In the Wild' (ItW) are included. Specifically, a virus has to be spreading in the wild during normal operations, and be reported via our Reporter network, to appear on The WildList. Only those viruses reported to the WildList Organization by WLO Reporters are considered for inclusion into the WildList.

But where do these Reporters get their data? The answer is, from their clientele -- basically, the general public. That's why we provide a link for you to report your incident to the Reporter for your region. In the case of the home PC users, the WLO Reporter generally won't report the virus to us unless they received and verified two incidents within a one-month timeframe.

Remember, it is our goal to document viruses which are actually actively spreading. In the case of larger businesses and corporations, where a virus is likely to exist at more than just one desktop, the Reporter is likely to report the virus to us after just one verified incident.

Back to Top

What is the best antivirus software?

The WildList Organization International maintains its independence from any one software developer; thus, we cannot recommend any one antivirus software product. As each package offers slightly different features, only the individual or corporate administrator can decide which package would best suit their needs. There are a number of papers written on how to choose the best personal antivirus software. We encourage you to arm yourself with as much knowledge as possible prior to making a final purchasing decision. This includes being familiar with the affiliation of the authors of such papers and any affiliations between testers and software developers.

Back to Top

How often should I update my antivirus software?

10 years ago the answer to this question would have been 'Once a month'. Times have changed. While most products still offer monthly updates, many developers now offer daily, weekly and even hourly updates.

If you receive many untrusted items daily, you may want to consider daily or weekly updates. If you rarely receive e-mail or new applications, you may feel a monthly update is sufficient.

Back to Top

How do I know if what I have is a real virus or a hoax?

There are sites that specialise in listing hoaxes. In addition to the sites run by antivirus product vendors, you may want to look at or

You can read this paper on how to ascertain if you have a hoax. It was written by WildList affiliates Sarah Gordon, Richard Ford and Joe Wells and was presented at the International Virus Bulletin Conference.

Back to Top

Who writes viruses anyway?

There are a lot of stereotypes out there. The only serious on-going scientific work we are aware of to date is available here.

Back to Top

Have a question? Ask us! Mail

The WildList and The WildList Organization International are trademarks of The WildList Organization. All other products mentioned are registered trademarks or trademarks of their respective companies.

Questions or problems regarding this web site should be directed to

Copyright © 1999,2001 The WildList Organization International. All rights reserved.

Thank you for visiting our WWW site. Remember, viruses spread every day of the year. Keep your antivirus software up-to-date, and practice safe computing.