================================================= File 6FW98.TXT Detailed results of File and Macro Virus related on-demand scanner tests under Windows 98: ================================================= (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (4*10,000) viruses in a testbed with generations of 4 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Index of tables: ---------------- W98.F1: "FileVirus 1": Results of "full" Zoo test for file viruses W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses W98.FA: "Polyfile-Test": Results of Polymorphic test W98.FB: "VKIT Test": Results of VKIT file virus test W98.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR W98.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP W98.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA W98.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ W98.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith RAR W98.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" W98.F5 "File Malware": Results of "full" Zoo test for File-related malware W98.M1: "MacroVirus 1": Results of "full" test for macro viruses W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR W98.M4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table W98.F1: "FileVirus 1": Results of "full" zoo test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 17149 100.0% % % 128556 100.0% ----------------------------------------------------------- AVA 16741 97.6 660 3.8 142 0.8 125820 97.9 AVG 14971 87.3 546 3.2 292 1.7 115919 90.2 AVK 15571 90.8 389 2.3 6 0.0 113182 88.1 AVP 17137 99.9 375 2.2 4 0.0 128517 100.0 AVX 12727 74.2 646 3.8 1368 8.0 89740 69.8 DRW 15354 89.5 447 2.6 169 1.0 115130 89.6 DSS 17132 99.9 562 3.3 27 0.2 128345 99.9 DWW 16837 98.2 400 2.3 174 1.0 126802 98.7 FPR 16110 93.9 62 0.4 54 0.3 122739 95.5 FSE 17146 100.0 100 0.6 1 0.0 128531 100.0 INO 16821 98.1 532 3.1 116 0.7 126063 98.1 IRS 16734 97.6 511 3.0 131 0.8 125584 97.7 ITM 11011 64.2 408 2.4 622 3.6 78024 60.7 NAV 16600 96.8 1109 6.5 189 1.1 124761 97.1 NOD 16738 97.6 1878 11.0 184 1.1 126732 98.6 NVC 16636 97.0 1125 6.6 275 1.6 125552 97.7 PAV 17137 99.9 375 2.2 4 0.0 128517 100.0 PCC 13924 81.2 2359 13.8 462 2.7 113557 88.3 PRO 6398 37.3 195 1.1 846 4.9 51612 40.2 SCN 17113 99.8 517 3.0 43 0.3 128090 99.7 TSC 9490 55.3 344 2.0 523 3.0 67588 52.6 VBW 4541 26.5 77 0.4 2637 15.4 24943 19.4 VET 11367 66.3 186 1.1 472 2.8 88544 68.9 VSP 14815 86.4 5660 33.0 928 5.4 102422 79.7 ----------------------------------------------------------- Table W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 87 100.0 14 16.1 3 3.4 2857 99.7 AVG 87 100.0 19 21.8 0 0.0 2867 100.0 AVK 78 89.7 4 4.6 0 0.0 2701 94.2 AVP 87 100.0 4 4.6 0 0.0 2867 100.0 AVX 71 81.6 2 2.3 8 9.2 2315 80.7 DRW 82 94.3 5 5.7 2 2.3 2788 97.2 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 DWW 87 100.0 4 4.6 2 2.3 2865 99.9 FPR 85 97.7 0 0.0 1 1.1 2812 98.1 FSE 87 100.0 1 1.1 0 0.0 2867 100.0 INO 87 100.0 9 10.3 0 0.0 2867 100.0 IRS 87 100.0 9 10.3 2 2.3 2854 99.5 ITM 84 96.6 7 8.0 13 14.9 2378 82.9 NAV 85 97.7 9 10.3 1 1.1 2736 95.4 NOD 87 100.0 18 20.7 2 2.3 2865 99.9 NVC 87 100.0 6 6.9 1 1.1 2866 100.0 PAV 87 100.0 4 4.6 0 0.0 2867 100.0 PCC 87 100.0 26 29.9 5 5.7 2858 99.7 PRO 62 71.3 2 2.3 21 24.1 1771 61.8 SCN 87 100.0 9 10.3 0 0.0 2867 100.0 TSC 80 92.0 6 6.9 12 13.8 2646 92.3 VBW 42 48.3 1 1.1 29 33.3 847 29.5 VET 87 100.0 5 5.7 4 4.6 2863 99.9 VSP 79 90.8 29 33.3 14 16.1 2395 83.5 ----------------------------------------------------------- Table W98.FA: "Polyfile-Test": Results of Polymorphic test ========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 400 100.0% % % 40000 100.0% ---------------------------------------------------------- AVA 400 100.0 104 26.0 1 0.3 39999 100.0 AVG 400 100.0 0 0.0 0 0.0 40000 100.0 AVK 400 100.0 0 0.0 0 0.0 40000 100.0 AVP 400 100.0 0 0.0 0 0.0 40000 100.0 AVX 300 75.0 8 2.0 69 17.3 28865 72.2 DRW 400 100.0 0 0.0 0 0.0 40000 100.0 DSS 400 100.0 103 25.8 0 0.0 40000 100.0 DWW 400 100.0 0 0.0 0 0.0 40000 100.0 FPR 400 100.0 0 0.0 0 0.0 40000 100.0 FSE 400 100.0 0 0.0 0 0.0 40000 100.0 INO 400 100.0 1 0.3 0 0.0 40000 100.0 IRS 400 100.0 1 0.3 0 0.0 40000 100.0 ITM 400 100.0 210 52.5 46 11.5 39943 99.9 NAV 400 100.0 108 27.0 0 0.0 40000 100.0 NOD 400 100.0 0 0.0 0 0.0 40000 100.0 NVC 400 100.0 100 25.0 0 0.0 40000 100.0 PCC 400 100.0 100 25.0 0 0.0 40000 100.0 PRO 150 37.5 0 0.0 0 0.0 15000 37.5 SCN 400 100.0 100 25.0 3 0.8 39997 100.0 TSC 301 75.3 0 0.0 12 3.0 29393 73.5 VBW 20 5.0 0 0.0 20 5.0 1070 2.7 VET 400 100.0 97 24.3 4 1.0 39996 100.0 VSP 390 97.5 361 90.3 29 7.3 38958 97.4 ---------------------------------------------------------- Remark: For 4 polymorphic viruses (Maltese Amoeba, MTE.Encroacher.B, NATAS and TREMOR), 10,000 generations were produced with VTCs dynamic polymorphic test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table W98.FB: "VKIT Test": Results of VKIT file virus test ========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 10706 100.0% % % 104640 100.0% ----------------------------------------------------------- AVA 10706 100.0 1638 15.3 27 0.3 104580 99.9 AVG 9937 92.8 796 7.4 1165 10.9 92587 88.5 AVK 10704 100.0 1427 13.3 3 0.0 104634 100.0 AVP 10704 100.0 1471 13.7 54 0.5 104538 99.9 AVX 9434 88.1 16 0.1 8543 79.8 29318 28.0 DRW 10703 100.0 1005 9.4 18 0.2 104228 99.6 DSS 10706 100.0 1310 12.2 0 0.0 104640 100.0 DWW 10704 100.0 1005 9.4 18 0.2 104569 99.9 FPR 10704 100.0 204 1.9 8 0.1 104612 100.0 FSE 10704 100.0 979 9.1 3 0.0 104634 100.0 INO 10703 100.0 1238 11.6 8 0.1 104578 99.9 IRS 10703 100.0 1043 9.7 8 0.1 104578 99.9 ITM 8913 83.3 4838 45.2 121 1.1 90946 86.9 NAV 10575 98.8 634 5.9 125 1.2 102625 98.1 NOD 9367 87.5 2788 26.0 6 0.1 93990 89.8 PAV 10704 100.0 1501 14.0 3 0.0 104634 100.0 PCC 5429 50.7 469 4.4 1131 10.6 42724 40.8 PRO 191 1.8 0 0.0 152 1.4 990 0.9 SCN 10706 100.0 1310 12.2 0 0.0 104640 100.0 TSC 10704 100.0 1261 11.8 3 0.0 104634 100.0 VBW 93 0.9 0 0.0 80 0.7 504 0.5 VET 9839 91.9 28 0.3 596 5.6 93162 89.0 VSP 10706 100.0 10587 98.9 0 0.0 104640 100.0 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection. This test was separated from the "normal" file virus test 1) as these viruses were reported to VTC only in October, immediately before the testbeds were frozen, and 2) as there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000). Table W98.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per Packer Scanner ZIP % LHA % ARJ % RAR % --------------------------------------------------------------- Testbed 87 100.0 87 100.0 87 100.0 87 100.0 --------------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 86 98.9 0 0.0 86 98.9 0 0.0 AVK 87 100.0 87 100.0 87 100.0 87 100.0 AVP 87 100.0 87 100.0 87 100.0 87 100.0 AVX 71 81.6 0 0.0 68 78.2 71 81.6 DRW 87 100.0 87 100.0 87 100.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 87 100.0 87 100.0 87 100.0 0 0.0 FPR 87 100.0 0 0.0 87 100.0 0 0.0 FSE 87 100.0 87 100.0 87 100.0 87 100.0 INO 87 100.0 86 98.9 87 100.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 NAV 87 100.0 87 100.0 87 100.0 0 0.0 NOD 87 100.0 0 0.0 87 100.0 87 100.0 NVC 87 100.0 87 100.0 87 100.0 0 0.0 PAV 87 100.0 87 100.0 87 100.0 87 100.0 PCC 87 100.0 84 96.6 87 100.0 87 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 87 100.0 87 100.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 0 0.0 0 0.0 0 0.0 0 0.0 VET 87 100.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 --------------------------------------------------------------- Table W98.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under Windows 98: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 3 3.4 0 0.0 3 3.4 3 0.1 AVG 86 98.9 0 0.0 0 0.0 2852 99.5 AVK 87 100.0 0 0.0 2 2.3 2819 98.3 AVP 87 100.0 0 0.0 1 1.1 2820 98.4 AVX 71 81.6 0 0.0 10 11.5 2313 80.7 DRW 87 100.0 0 0.0 2 2.3 2865 99.9 DSS 87 100.0 0 0.0 0 0.0 2867 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 87 100.0 0 0.0 1 1.1 2866 100.0 INO 87 100.0 0 0.0 0 0.0 2867 100.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 4 4.6 0 0.0 4 4.6 4 0.1 NAV 87 100.0 0 0.0 1 1.1 2866 100.0 NOD 87 100.0 0 0.0 4 4.6 2853 99.5 NVC 87 100.0 0 0.0 2 2.3 2867 100.0 PAV 87 100.0 0 0.0 1 1.1 2820 98.4 PCC 87 100.0 0 0.0 7 8.0 2837 99.0 PRO 1 1.1 0 0.0 1 1.1 1 0.0 SCN 87 100.0 0 0.0 0 0.0 2867 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 2 2.3 0 0.0 2 2.3 2 0.1 VET 87 100.0 0 0.0 4 4.6 2863 99.9 VSP 2 2.3 0 0.0 2 2.3 2 0.1 ----------------------------------------------------------- Table W98.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 2 2.3 0 0.0 2 2.3 2 0.1 AVG 2 2.3 0 0.0 2 2.3 2 0.1 AVK 87 100.0 0 0.0 0 0.0 2867 100.0 AVP 87 100.0 0 0.0 0 0.0 2867 100.0 AVX 2 2.3 0 0.0 2 2.3 2 0.1 DRW 87 100.0 0 0.0 2 2.3 2865 99.9 DSS 87 100.0 0 0.0 0 0.0 2867 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 87 100.0 0 0.0 0 0.0 2867 100.0 INO 86 98.9 0 0.0 86 98.9 96 3.3 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 3 3.4 0 0.0 3 3.4 3 0.1 NAV 87 100.0 0 0.0 1 1.1 2866 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 87 100.0 0 0.0 2 2.3 2865 99.9 PAV 87 100.0 0 0.0 0 0.0 2867 100.0 PCC 84 96.6 0 0.0 7 8.0 2629 91.7 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 87 100.0 0 0.0 0 0.0 2867 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 2 2.3 0 0.0 2 2.3 2 0.1 VET 2 2.3 0 0.0 2 2.3 2 0.1 VSP 2 2.3 0 0.0 2 2.3 2 0.1 ----------------------------------------------------------- Table W98.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 2 2.3 0 0.0 2 2.3 2 0.1 AVG 86 98.9 0 0.0 0 0.0 2852 99.5 AVK 87 100.0 0 0.0 0 0.0 2867 100.0 AVP 87 100.0 0 0.0 0 0.0 2867 100.0 AVX 68 78.2 0 0.0 1 1.1 2432 84.8 DRW 87 100.0 0 0.0 2 2.3 2865 99.9 DSS 87 100.0 0 0.0 0 0.0 2867 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 87 100.0 0 0.0 0 0.0 2867 100.0 INO 87 100.0 0 0.0 0 0.0 2867 100.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 3 3.4 0 0.0 3 3.4 3 0.1 NAV 87 100.0 0 0.0 1 1.1 2866 100.0 NOD 87 100.0 0 0.0 4 4.6 2853 99.5 NVC 87 100.0 0 0.0 1 1.1 2866 100.0 PAV 87 100.0 0 0.0 0 0.0 2867 100.0 PCC 87 100.0 0 0.0 7 8.0 2837 99.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 2 2.3 0 0.0 2 2.3 2 0.1 VET 2 2.3 0 0.0 2 2.3 2 0.1 VSP 3 3.4 0 0.0 3 3.4 3 0.1 ----------------------------------------------------------- Table W98.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 4 4.6 0 0.0 4 4.6 4 0.1 AVG 3 3.4 0 0.0 3 3.4 3 0.1 AVK 87 100.0 0 0.0 0 0.0 2867 100.0 AVP 87 100.0 0 0.0 0 0.0 2867 100.0 AVX 71 81.6 0 0.0 17 19.5 2257 78.7 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 1 1.1 0 0.0 1 1.1 1 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 85 97.7 0 0.0 13 14.9 2020 70.5 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 5 5.7 0 0.0 5 5.7 5 0.2 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 87 100.0 0 0.0 4 4.6 2853 99.5 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PCC 87 100.0 0 0.0 7 8.0 2837 99.0 PRO 1 1.1 0 0.0 1 1.1 1 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 2 2.3 0 0.0 2 2.3 2 0.1 VET 3 3.4 0 0.0 3 3.4 3 0.1 VSP 2 2.3 0 0.0 2 2.3 2 0.1 ----------------------------------------------------------- Table W98.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "false positives" under Windows 98: ================================================================ Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ----------------------------------------------------------- Testbed 30 100.0% % % 3300 100.0% ----------------------------------------------------------- AVA 1 3.3 0 0.0 1 3.3 1 0.0 AVG 1 3.3 0 0.0 1 3.3 1 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 AVX 4 13.3 0 0.0 4 13.3 7 0.2 DRW 10 33.3 0 0.0 10 33.3 11 0.3 DSS 1 3.3 0 0.0 1 3.3 1 0.0 DWW 9 30.0 0 0.0 9 30.0 10 0.3 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 2 6.7 0 0.0 2 6.7 4 0.1 IRS 2 6.7 0 0.0 2 6.7 4 0.1 ITM 1 3.3 0 0.0 1 3.3 1 0.0 NAV 1 3.3 0 0.0 1 3.3 1 0.0 NOD 7 23.3 0 0.0 7 23.3 7 0.2 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PCC 2 6.7 0 0.0 2 6.7 3 0.1 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 0 0.0 0 0.0 0 0.0 0 0.0 VET 2 6.7 0 0.0 2 6.7 2 0.1 VSP 15 50.0 0 0.0 15 50.0 18 0.5 ----------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows 98: ======================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2485 100.0% % % 3853 100.0% ---------------------------------------------------------- AVA 1659 66.8 54 2.2 14 0.6 2598 67.4 AVG 1637 65.9 20 0.8 17 0.7 2261 58.7 AVK 2356 94.8 44 1.8 7 0.3 3548 92.1 AVP 2359 94.9 43 1.7 6 0.2 3552 92.2 AVX 1460 58.8 30 1.2 27 1.1 1962 50.9 DRW 1177 47.4 20 0.8 12 0.5 1874 48.6 DSS 2426 97.6 33 1.3 4 0.2 3775 98.0 DWW 1849 74.4 22 0.9 14 0.6 2766 71.8 FPR 2216 89.2 16 0.6 28 1.1 3403 88.3 FSE 2468 99.3 61 2.5 3 0.1 3829 99.4 INO 2193 88.2 38 1.5 11 0.4 3328 86.4 IRS 2178 87.6 39 1.6 9 0.4 3305 85.8 ITM 1113 44.8 12 0.5 49 2.0 1440 37.4 NAV 2235 89.9 55 2.2 47 1.9 3390 88.0 NOD 1611 64.8 70 2.8 22 0.9 2360 61.3 NVC 1725 69.4 49 2.0 37 1.5 2707 70.3 PAV 2359 94.9 43 1.7 6 0.2 3552 92.2 PCC 1524 61.3 27 1.1 40 1.6 2457 63.8 PRO 291 11.7 2 0.1 37 1.5 382 9.9 SCN 2417 97.3 38 1.5 4 0.2 3755 97.5 TSC 1421 57.2 25 1.0 27 1.1 1864 48.4 VBW 404 16.3 2 0.1 55 2.2 558 14.5 VET 1090 43.9 4 0.2 36 1.4 1535 39.8 VSP 1885 75.9 269 10.8 32 1.3 2537 65.8 ---------------------------------------------------------- Table W98.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2874 100.0% % % 7765 100.0% ---------------------------------------------------------- ACU 2806 97.6 28 1.0 1 0.0 7647 98.5 AVA 2757 95.9 23 0.8 7 0.2 7504 96.6 AVG 2371 82.5 9 0.3 12 0.4 6395 82.4 AVK 2863 99.6 51 1.8 0 0.0 7747 99.8 AVP 2850 99.2 41 1.4 0 0.0 7731 99.6 DRW 2824 98.3 45 1.6 5 0.2 7673 98.8 DSS 2874 100.0 9 0.3 0 0.0 7765 100.0 DWW 2823 98.2 45 1.6 5 0.2 7672 98.8 FMA 2861 99.5 3 0.1 2 0.1 7724 99.5 FPR 2868 99.8 22 0.8 2 0.1 7743 99.7 FSE 2874 100.0 25 0.9 0 0.0 7765 100.0 FWN 2864 99.7 29 1.0 0 0.0 7744 99.7 HMV 2861 99.5 28 1.0 7 0.2 7734 99.6 INO 2867 99.8 47 1.6 2 0.1 7745 99.7 IRS 2860 99.5 45 1.6 5 0.2 7724 99.5 ITM 2039 70.9 140 4.9 58 2.0 5319 68.5 IVB 2729 95.0 0 0.0 62 2.2 7307 94.1 NAV 2865 99.7 39 1.4 4 0.1 7741 99.7 NOD 2869 99.8 32 1.1 4 0.1 7750 99.8 NVC 2849 99.1 30 1.0 5 0.2 7703 99.2 PAV 2859 99.5 51 1.8 0 0.0 7743 99.7 PCC 2817 98.0 50 1.7 6 0.2 7673 98.8 PRO 1668 58.0 1 0.0 53 1.8 4413 56.8 SCN 2874 100.0 13 0.5 0 0.0 7765 100.0 TSC 2200 76.5 121 4.2 39 1.4 6058 78.0 VBW 2683 93.4 0 0.0 6 0.2 7321 94.3 VET 2804 97.6 2 0.1 4 0.1 7629 98.2 VSP 12 0.4 0 0.0 9 0.3 12 0.2 ---------------------------------------------------------- Table W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows 98: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- ACU 82 98.8 0 0.0 0 0.0 662 98.1 AVA 83 100.0 1 1.2 0 0.0 675 100.0 AVG 83 100.0 1 1.2 1 1.2 674 99.9 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 2 2.4 0 0.0 675 100.0 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 83 100.0 3 3.6 0 0.0 675 100.0 FMA 83 100.0 0 0.0 0 0.0 675 100.0 FPR 83 100.0 2 2.4 0 0.0 675 100.0 FSE 83 100.0 2 2.4 0 0.0 675 100.0 FWN 83 100.0 1 1.2 0 0.0 675 100.0 HMV 83 100.0 2 2.4 1 1.2 674 99.9 INO 83 100.0 4 4.8 1 1.2 674 99.9 IRS 83 100.0 4 4.8 1 1.2 674 99.9 ITM 82 98.8 18 21.7 4 4.8 660 97.8 IVB 83 100.0 0 0.0 4 4.8 663 98.2 NAV 83 100.0 1 1.2 0 0.0 675 100.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 NVC 83 100.0 1 1.2 0 0.0 675 100.0 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PCC 83 100.0 3 3.6 1 1.2 674 99.9 PRO 52 62.7 1 1.2 14 16.9 473 70.1 SCN 83 100.0 0 0.0 0 0.0 675 100.0 TSC 74 89.2 21 25.3 3 3.6 622 92.1 VBW 81 97.6 0 0.0 1 1.2 668 99.0 VET 83 100.0 0 0.0 0 0.0 675 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per Packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 83 100.0 83 100.0 83 100.0 83 100.0 ---------------------------------------------------------------- ACU 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 83 100.0 0 0.0 83 100.0 0 0.0 AVK 83 100.0 83 100.0 83 100.0 83 100.0 AVP 83 100.0 83 100.0 83 100.0 83 100.0 AVX 83 100.0 0 0.0 83 100.0 83 100.0 DRW 83 100.0 83 100.0 83 100.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 83 100.0 83 100.0 83 100.0 0 0.0 FMA 0 0.0 0 0.0 0 0.0 0 0.0 FPR 83 100.0 0 0.0 83 100.0 0 0.0 FSE 83 100.0 83 100.0 83 100.0 83 100.0 FWN 83 100.0 0 0.0 0 0.0 83 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 83 100.0 82 98.8 83 100.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 83 100.0 83 100.0 0 0.0 NOD 83 100.0 0 0.0 83 100.0 83 100.0 NVC 83 100.0 0 0.0 83 100.0 0 0.0 PAV 83 100.0 83 100.0 83 100.0 83 100.0 PCC 83 100.0 83 100.0 83 100.0 83 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 83 100.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 0 0.0 0 0.0 0 0.0 0 0.0 VET 83 100.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 --------------------------------------------------------------- Table W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows 98: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- ACU 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 83 100.0 0 0.0 1 1.2 674 99.9 AVK 83 100.0 0 0.0 0 0.0 675 100.0 AVP 83 100.0 0 0.0 0 0.0 675 100.0 AVX 83 100.0 0 0.0 2 2.4 669 99.1 DRW 83 100.0 0 0.0 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FMA 0 0.0 0 0.0 0 0.0 0 0.0 FPR 83 100.0 0 0.0 0 0.0 675 100.0 FSE 83 100.0 * *** * *** * Remark * FWN 83 100.0 0 0.0 0 0.0 675 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 83 100.0 0 0.0 1 1.2 674 99.9 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 0 0.0 0 0.0 675 100.0 NOD 83 100.0 0 0.0 3 3.6 670 99.3 NVC 83 100.0 0 0.0 0 0.0 675 100.0 PAV 83 100.0 0 0.0 0 0.0 675 100.0 PCC 83 100.0 0 0.0 1 1.2 674 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 0 0.0 0 0.0 675 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 0 0.0 0 0.0 0 0.0 0 0.0 VET 83 100.0 0 0.0 0 0.0 675 100.0 VSP 1 1.2 0 0.0 1 1.2 1 0.1 ----------------------------------------------------------- Remark: In some cases, FSE pretends to detect double infections; as this scanner doesnot always print the path of checked files, the number of reliably detected viruses could not be calculated. Table W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- ACU 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 83 100.0 0 0.0 0 0.0 675 100.0 AVP 83 100.0 0 0.0 0 0.0 675 100.0 AVX 0 0.0 0 0.0 0 0.0 0 0.0 DRW 83 100.0 0 0.0 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FMA 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 83 100.0 * *** * *** * Remark * FWN 0 0.0 0 0.0 0 0.0 0 0.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 82 98.8 0 0.0 81 97.6 82 12.1 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 0 0.0 0 0.0 675 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 83 100.0 0 0.0 0 0.0 675 100.0 PCC 83 100.0 0 0.0 1 1.2 674 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 0 0.0 0 0.0 675 100.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 1 1.2 0 0.0 1 1.2 1 0.1 ----------------------------------------------------------- Remark: In some cases, FSE pretends to detect double infections; as this scanner doesnot always print the path of checked files, the number of reliably detected viruses could not be calculated. Table W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- ACU 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 83 100.0 0 0.0 1 1.2 674 99.9 AVK 83 100.0 0 0.0 0 0.0 675 100.0 AVP 83 100.0 0 0.0 0 0.0 675 100.0 AVX 83 100.0 0 0.0 2 2.4 669 99.1 DRW 83 100.0 0 0.0 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FMA 0 0.0 0 0.0 0 0.0 0 0.0 FPR 83 100.0 0 0.0 0 0.0 675 100.0 FSE 83 100.0 * *** * *** * Remark * FWN 0 0.0 0 0.0 0 0.0 0 0.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 83 100.0 0 0.0 1 1.2 674 99.9 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 0 0.0 0 0.0 675 100.0 NOD 83 100.0 0 0.0 3 3.6 670 99.3 NVC 83 100.0 0 0.0 0 0.0 675 100.0 PAV 83 100.0 0 0.0 0 0.0 675 100.0 PCC 83 100.0 0 0.0 1 1.2 674 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: In some cases, FSE pretends to detect double infections; as this scanner doesnot always print the path of checked files, the number of reliably detected viruses could not be calculated. Table WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- ACU 0 0.0 0 0.0 0 0.0 0 0.0 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 83 100.0 0 0.0 0 0.0 675 100.0 AVP 83 100.0 0 0.0 0 0.0 675 100.0 AVX 83 100.0 0 0.0 2 2.4 669 99.1 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 0 0.0 0 0.0 0 0.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FMA 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 83 100.0 * *** * *** * Remark * FWN 83 100.0 0 0.0 0 0.0 675 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 ITM 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 83 100.0 0 0.0 3 3.6 670 99.3 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 83 100.0 0 0.0 0 0.0 675 100.0 PCC 83 100.0 0 0.0 1 1.2 674 99.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VBW 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: In some cases, FSE pretends to detect double infections; as this scanner doesnot always print the path of checked files, the number of reliably detected viruses could not be calculated. Table W98.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows 98: ===================================================================== Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ----------------------------------------------------------- Testbed 25 100.0% % % 362 100.0% ----------------------------------------------------------- ACU 18 72.0 0 0.0 18 72.0 53 14.6 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 1 4.0 0 0.0 1 4.0 1 0.3 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 8.0 0 0.0 2 8.0 4 1.1 DRW 20 80.0 0 0.0 20 80.0 106 29.3 DSS 0 0.0 0 0.0 0 0.0 0 0.0 DWW 21 84.0 0 0.0 21 84.0 110 30.4 FMA 3 12.0 0 0.0 3 12.0 4 1.1 FPR 3 12.0 0 0.0 3 12.0 4 1.1 FSE 3 12.0 0 0.0 3 12.0 4 1.1 FWN 23 92.0 0 0.0 23 92.0 193 53.3 HMV 7 28.0 0 0.0 7 28.0 11 3.0 INO 16 64.0 0 0.0 16 64.0 35 9.7 IRS 16 64.0 0 0.0 16 64.0 35 9.7 ITM 6 24.0 0 0.0 6 24.0 10 2.8 IVB 24 96.0 0 0.0 24 96.0 180 49.7 NAV 5 20.0 0 0.0 5 20.0 5 1.4 NOD 7 28.0 0 0.0 7 28.0 12 3.3 NVC 1 4.0 0 0.0 1 4.0 3 0.8 PAV 2 8.0 0 0.0 2 8.0 4 1.1 PCC 4 16.0 0 0.0 4 16.0 5 1.4 PRO 1 4.0 0 0.0 1 4.0 1 0.3 SCN 0 0.0 0 0.0 0 0.0 0 0.0 TSC 14 56.0 0 0.0 14 56.0 26 7.2 VBW 24 96.0 0 0.0 22 88.0 162 44.8 VET 8 32.0 0 0.0 8 32.0 16 4.4 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware under Windows 98: =============================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 142 100.0% % % 200 100.0% ---------------------------------------------------------- ACU 133 93.7 4 2.8 0 0.0 190 95.0 AVA 130 91.5 2 1.4 1 0.7 185 92.5 AVG 98 69.0 1 0.7 2 1.4 146 73.0 AVK 136 95.8 1 0.7 1 0.7 193 96.5 AVP 130 91.5 0 0.0 2 1.4 186 93.0 AVX 88 62.0 1 0.7 5 3.5 125 62.5 DRW 116 81.7 1 0.7 2 1.4 168 84.0 DSS 140 98.6 0 0.0 0 0.0 198 99.0 DWW 115 81.0 1 0.7 2 1.4 167 83.5 FMA 137 96.5 1 0.7 0 0.0 195 97.5 FPR 139 97.9 1 0.7 0 0.0 197 98.5 FSE 140 98.6 1 0.7 0 0.0 198 99.0 FWN 137 96.5 2 1.4 0 0.0 195 97.5 HMV 137 96.5 0 0.0 1 0.7 194 97.0 INO 136 95.8 0 0.0 3 2.1 191 95.5 IRS 135 95.1 0 0.0 3 2.1 190 95.0 ITM 39 27.5 0 0.0 0 0.0 52 26.0 IVB 118 83.1 0 0.0 1 0.7 167 83.5 NAV 129 90.8 0 0.0 1 0.7 183 91.5 NOD 137 96.5 1 0.7 0 0.0 195 97.5 NVC 128 90.1 2 1.4 1 0.7 184 92.0 PAV 134 94.4 1 0.7 1 0.7 191 95.5 PCC 122 85.9 1 0.7 1 0.7 175 87.5 PRO 38 26.8 0 0.0 3 2.1 70 35.0 SCN 140 98.6 0 0.0 0 0.0 198 99.0 TSC 105 73.9 5 3.5 1 0.7 156 78.0 VBW 103 72.5 0 0.0 4 2.8 147 73.5 VET 127 89.4 1 0.7 1 0.7 183 91.5 VSP 1 0.7 0 0.0 0 0.0 1 0.5 ----------------------------------------------------------