If you don't see your question listed here, mail
We will try to respond as soon as we can, but remember we
are a volunteer group and may not be able to respond
immediately. We try to incorporate new questions into
this FAQ periodically.
Over the years, antivirus expert Joe Wells has collected
reports of which viruses have been found spreading in the
real world. He decided to create a list of these viruses
and asked other researchers to verify or challenge the viruses
on the list and offer changes. The first list was developed in
July of 1993 and the first official list was published in
November of 1993. The list was made available to the public,
free of charge, in hopes to offset some of the 'numbers games'
being played by some antivirus product developers. That list was
eventually called The Wildlist.
In 1995 and 1996, the Wildlist went through some major refinements
and standardization. First, it began to be generated from a database
with comprehensive information on each virus. Second, in order to help
maintain the Wildist's integrity, Dr. Richard Ford agreed to act as
the WildList's ombudsman. Third, a
Board of Directors was chosen with a view to future development of the
Wildlist. With these changes, refinements, and additions,
The WildList Organization International was birthed.
Why Capital L and Capital W? This was Sarah's construction
to differentiate The WildList from various "wildlists" dealing
with everything from animals to newsgroups. She had seen the idea used
on some AntiVirus products and thought it would work well for
The WildList. Thus, "WildList" and "In the Wild" were specifically
created to set The WildList apart from all imitations. These terms
became part and parcel of the way The WildList way.
The WildList was a valuable resource, but grew to be more valuable
with the creation of WildCore.
WildCore is a set of replicated virus samples that represents the real
threat to computer users. The set was formally made available to
ICSA and Virus Bulletin for testing purposes in 1995.
The WildList has grown into the world's foremost
authority on which viruses users should really be
concerned with. Used as a basis for testing antivirus
software by proficient and competent testing authorities,
The Wildlist remains available free to computer users
worldwide. We answer thousands of queries ever year,
and help provide a reality check for the antivirus industry!
The list is created each month by a team of volunteers,
using reports from over 70 antivirus researchers and
On the 15th day of each month, the formal WildList is
extracted from all verified reports, and published at
Archives of past WildLists are available in the
When a virus is reported to us by two or more Reporters,
it's a pretty good indication that the virus is out there,
spreading, causing real problems to users. We consider such
a virus to be 'In the Wild'.
As far as where is 'out there', we like the definition
given by Paul Ducklin of Sophos, PLC in his paper
For a virus to be considered In the Wild, it must be
spreading as a result of normal day-to-day operations on
and between the computers of unsuspecting users.
This means viruses which merely exist but are not
spreading are not considered 'In the Wild'.
Similarly, for a trojan to be considered "In the Wild", it
must be found on the computers of unsuspecting users, in
the course of normal day-to-day operations.
See the last question. For a virus to be spreading In the
Wild, it must be observed in the real world, where their
normal day-to-day operations take place. While there are
viruses on vX sites, and viruses posted to the Internet,
there is no evidence to support the theory that such posts
are positively correlated with virus incidents in the real
world. A paper by one
suggests such research needs to take place,
to quantify the threat posed by such viruses. If you're
interested in discussing this issue, contact
You want antivirus software that can protect you from the
real threat. By making sure the tests you rely on show the
performance of detection and disinfection of viruses which
are actually out there In the Wild, you are helping keep
the virus problem under control.
It is true that many of our Reporters support the same
vendor, but this is simply not a problem when it comes to
interpreting The WildList data. It helps to understand the
process by which each month's WildList is collated.
One important step in our quality control process is
verification of reports to ensure no duplicate reports
slip through. Any time we receive a report of any given
virus from two or more Reporters, we verify the reports
with each individual reporters. Sometimes this is done via
e-mail, sometimes with a telephone call; in all cases,
reports of what might be the same virus incident are
followed up on personally before any virus is added to The
In this way, we make sure that cross-reporting rarely (if
ever) occurs. If a virus appears on The WildList, you can
rest assured it has been reported by two or more of our
reporters and that these reports represent separate
There is no 'correct' name for a virus at this time. In
most cases, these are names which follow the naming scheme
created by Alan Solomon, Fridrik Skulason and Vesselin
Bontchev. This is sometimes referred to as the CARO naming
scheme. However, this is no more 'right' or 'wrong' than
using any other set of names. As all of the vendors are not
CARO members, they may elect to not use CARO names for
various reasons. We will use these names when it is in the
best interest of the users for us to do so. We include
aliases for viruses which may be called different names by
different vendors. You can read more about our views on
We agree, getting rid of a virus is important. You can help
make that happen by making sure that the tests you rely on
test the detection and disinfection of the viruses which
are In the Wild.
You are absolutely correct in wanting to keep up to date
with the virus problem more often than 'once a month'.
Viruses spread every day and no one can afford to wait a
month in the case of an important new virus outbreak. For
this reason we encourage you to develop a good relationship
with your vendor and practice safe hex! Keep your antivirus
software up to date.
We know that you also want to know about new viruses which
may affect you. In addition to monitoring your vendor's WWW
sites for relevant developments, and obtaining the monthly
WildList from us, keep an eye on our new Dynamic Wildlist.
What's that? The Dynamic WildList is a new service, which
allows Reporters to tell us about new viruses the moment
they are reported! That information is made available to
you shortly thereafter.
We recognize that this kind of information is important to
you, and are pleased to announce this addition to our
services. Recently previewed at Virus Bulletin, this
automated system will enable you to check for virus
activity daily. You can also check our alerts section where
any news of an urgent nature will be published. UPDATE:
due to circumstances beyond our control, the online system
is still in progress. Shane Coursen has developed a WWW site
where he plans to debut online reporting.
Sometimes viruses are reported by one person, and they go
away, never to be seen again. A record of these
one-time-sightings viruses is kept within the archives of
The WildList Organization's Supplemental Lists. While these
viruses are not spreading in the real world, they may be of
interest to the individual user.
Of course, if one of these viruses is reported by a second
Reporter, it is moved to the Main List with the rest of the
viruses which are still being observed In the Wild. You
will often find short-lived macro viruses listed on the
In the Wild virus description
Not all of the viruses occuring in the world are
automatically listed on The WildList. Only those viruses
that meet the definition of 'In the Wild' (ItW) are
included. Specifically, a virus has to be spreading in the
wild during normal operations, and be reported via our
Reporter network, to appear on The WildList. Only those
viruses reported to the WildList Organization by WLO
Reporters are considered for inclusion into the WildList.
But where do these Reporters get their data? The answer is,
from their clientele -- basically, the general public.
That's why we provide a link for you to report your
incident to the Reporter for your region. In the case of
the home PC users, the WLO Reporter generally won't report
the virus to us unless they received and verified two
incidents within a one-month timeframe.
Remember, it is our goal to document viruses which are
actually actively spreading. In the case of larger
businesses and corporations, where a virus is likely to
exist at more than just one desktop, the Reporter is likely
to report the virus to us after just one verified incident.
The WildList Organization International maintains its
independence from any one software developer; thus, we
cannot recommend any one antivirus software product. As
each package offers slightly different features, only the
individual or corporate administrator can decide which
package would best suit their needs. There are a number of
papers written on how to choose the best personal antivirus
software. We encourage you to arm yourself with as much
knowledge as possible prior to making a final purchasing
decision. This includes being familiar with the affiliation
of the authors of such papers and any affiliations between
testers and software developers.
10 years ago the answer to this question would have been
'Once a month'. Times have changed. While most products
still offer monthly updates, many developers now offer
daily, weekly and even hourly updates.
If you receive many untrusted items daily, you may want to
consider daily or weekly updates. If you rarely receive
e-mail or new applications, you may feel a monthly update
There are sites that specialise in listing hoaxes. In
addition to the sites run by antivirus product vendors, you
may want to look at
You can read this paper on how to
ascertain if you have a hoax. It was written by WildList
affiliates Sarah Gordon, Richard Ford and Joe Wells and was
presented at the International Virus Bulletin Conference.
There are a lot of stereotypes out there. The only serious
on-going scientific work we are aware of to date is available
Have a question? Ask us! Mail