================================================ File 6GWNT.TXT: Detailed results of File and Macro Virus related on-demand scanner tests under Windows NT: ================================================ (Formatted with non-proportional font: Courier; 72 columns) The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (4*10,000) viruses in a testbed with generations of 4 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Index of tables: ---------------- WNT.F1: "FileVirus 1": Results of "full" Zoo test for file viruses WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses WNT.FA: "Polyfile-Test": Results of Polymorphic test WNT.FB: "VKIT Test": Results of VKIT file virus test WNT.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP WNT.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA WNT.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ WNT.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR WNT.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" WNT.F5 "File Malware": Results of "full" Zoo test for File-related malware WNT.M1: "MacroVirus 1": Results of "full" test for macro viruses WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses WNT.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR WNT.M4: "False Positive" detection: Results of "full" zoo test for non-viral (clean) macro objects detected as as "false positives" WNT.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table WNT.F1: "FileVirus 1": Results of "full" test for file viruses under Windows NT: =================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 17148 100.0% % % 128534 100.0% ----------------------------------------------------------- AVA 16645 97.1 652 3.8 147 0.9 125592 97.7 AVG 14972 87.3 546 3.2 293 1.7 115920 90.2 AVK 15472 90.2 377 2.2 9 0.1 121736 94.7 AVP 17137 99.9 375 2.2 4 0.0 128517 100.0 AVX 12726 74.2 646 3.8 1367 8.0 89738 69.8 DRW 16005 93.3 452 2.6 170 1.0 119432 92.9 DSS 17021 99.3 557 3.2 30 0.2 127569 99.2 DWW 16837 98.2 400 2.3 175 1.0 126799 98.7 FPR 16924 98.7 65 0.4 59 0.3 127956 99.6 FSE 17146 100.0 97 0.6 4 0.0 128528 100.0 INO 16817 98.1 532 3.1 116 0.7 126034 98.1 IRS 16734 97.6 511 3.0 130 0.8 125586 97.7 NAV 16804 98.0 1111 6.5 190 1.1 126573 98.5 NOD 16738 97.6 1877 10.9 185 1.1 126731 98.6 NVC 16534 96.4 1107 6.5 278 1.6 124783 97.1 PAV 16663 97.2 370 2.2 6 0.0 125135 97.4 PRO 6398 37.3 195 1.1 846 4.9 51612 40.2 RA7 15311 89.3 936 5.5 487 2.8 115845 90.1 RAV 14660 85.5 1357 7.9 660 3.8 110503 86.0 SCN 16990 99.1 581 3.4 50 0.3 127300 99.0 VET 11214 65.4 182 1.1 472 2.8 87902 68.4 VSP 14913 87.0 7942 46.3 1079 6.3 104011 80.9 ----------------------------------------------------------- Table WNT.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows NT: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 87 100.0 14 16.1 3 3.4 2857 99.7 AVG 87 100.0 19 21.8 0 0.0 2867 100.0 AVK 82 94.3 4 4.6 0 0.0 2668 93.1 AVP 87 100.0 4 4.6 0 0.0 2867 100.0 AVX 71 81.6 2 2.3 8 9.2 2315 80.7 DRW 83 95.4 5 5.7 2 2.3 2740 95.6 DSS 83 95.4 8 9.2 0 0.0 2696 94.0 DWW 87 100.0 4 4.6 2 2.3 2865 99.9 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 87 100.0 1 1.1 0 0.0 2867 100.0 INO 87 100.0 9 10.3 0 0.0 2867 100.0 IRS 87 100.0 9 10.3 2 2.3 2854 99.5 NAV 87 100.0 9 10.3 1 1.1 2866 100.0 NOD 87 100.0 18 20.7 2 2.3 2865 99.9 NVC 83 95.4 5 5.7 1 1.1 2695 94.0 PAV 86 98.9 4 4.6 0 0.0 2856 99.6 PRO 62 71.3 2 2.3 21 24.1 1771 61.8 RA7 87 100.0 6 6.9 4 4.6 2849 99.4 RAV 87 100.0 6 6.9 4 4.6 2849 99.4 SCN 83 95.4 9 10.3 0 0.0 2696 94.0 VET 87 100.0 5 5.7 4 4.6 2863 99.9 VSP 75 86.2 54 62.1 13 14.9 2225 77.6 ----------------------------------------------------------- Table WNT.FA: "Polyfile-Test": Results of Polymorphic test: =========================================================== This includes Entries ---- unreliably ---- Generations Scanner detected identified detected detected ---------------------------------------------------------- Testbed 400 100.0% % % 40000 100.0% ---------------------------------------------------------- AVA 400 100.0 104 26.0 1 0.3 39999 100.0 AVG 400 100.0 0 0.0 0 0.0 40000 100.0 AVK 400 100.0 0 0.0 0 0.0 40000 100.0 AVP 400 100.0 0 0.0 0 0.0 40000 100.0 AVX 300 75.0 8 2.0 85 21.3 28845 72.1 DRW 400 100.0 3 0.8 29 7.3 39971 99.9 DSS 400 100.0 103 25.8 0 0.0 40000 100.0 DWW 400 100.0 0 0.0 0 0.0 40000 100.0 FPR 400 100.0 0 0.0 0 0.0 40000 100.0 FSE 400 100.0 0 0.0 0 0.0 40000 100.0 INO 400 100.0 1 0.3 0 0.0 40000 100.0 IRS 400 100.0 1 0.3 0 0.0 40000 100.0 NAV 400 100.0 108 27.0 0 0.0 40000 100.0 NOD 400 100.0 0 0.0 0 0.0 40000 100.0 NVC 400 100.0 100 25.0 0 0.0 40000 100.0 PAV 400 100.0 0 0.0 0 0.0 40000 100.0 PRO 150 37.5 0 0.0 0 0.0 15000 37.5 RA7 400 100.0 0 0.0 1 0.3 39997 100.0 RAV 400 100.0 0 0.0 0 0.0 40000 100.0 SCN 400 100.0 100 25.0 3 0.8 39997 100.0 VET 400 100.0 97 24.3 4 1.0 39996 100.0 VSP 400 100.0 400 100.0 0 0.0 40000 100.0 ---------------------------------------------------------- Remark: For 4 polymorphic viruses (Maltese Amoeba, MTE.Encroacher.B, NATAS and TREMOR), 10,000 generations were produced with VTCs dynamic polymorphic test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table WNT.FB: "VKIT Test": Results of VKIT file virus test: =========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 10706 100.0% % % 104640 100.0% ----------------------------------------------------------- AVA 10706 100.0 1638 15.3 27 0.3 104580 99.9 AVG 9937 92.8 796 7.4 1165 10.9 92587 88.5 AVK 10704 100.0 1427 13.3 3 0.0 104634 100.0 AVP 10704 100.0 1471 13.7 54 0.5 104538 99.9 AVX 9434 88.1 16 0.1 8543 79.8 29318 28.0 DRW 10704 100.0 1005 9.4 16 0.1 104572 99.9 DSS 10706 100.0 1310 12.2 0 0.0 104640 100.0 DWW 10704 100.0 1005 9.4 16 0.1 104572 99.9 FPR 10704 100.0 204 1.9 8 0.1 104612 100.0 FSE 10704 100.0 979 9.1 3 0.0 104634 100.0 INO 10703 100.0 1238 11.6 8 0.1 104578 99.9 IRS 10703 100.0 1043 9.7 8 0.1 104578 99.9 NAV 10575 98.8 634 5.9 125 1.2 102625 98.1 NOD 9367 87.5 1095 10.2 6 0.1 93990 89.8 NVC 10704 100.0 6198 57.9 327 3.1 102041 97.5 PAV 10704 100.0 1501 14.0 3 0.0 104634 100.0 PRO 191 1.8 0 0.0 152 1.4 990 0.9 RA7 10704 100.0 1315 12.3 7 0.1 104622 100.0 RAV 9367 87.5 1396 13.0 9 0.1 93972 89.8 SCN 10705 100.0 1338 12.5 0 0.0 104627 100.0 VET 9839 91.9 28 0.3 596 5.6 93160 89.0 VSP 10706 100.0 10587 98.9 0 0.0 104640 100.0 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection. This test was separated from the "normal" file virus test 1) as these viruses were reported to VTC only in October, immediately before the testbeds were frozen, and 2) as there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000). Table WNT.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per Packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 87 100.0 87 100.0 87 100.0 87 100.0 ---------------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 86 98.9 0 0.0 86 98.9 0 0.0 AVK 87 100.0 87 100.0 87 100.0 87 100.0 AVP 87 100.0 87 100.0 87 100.0 87 100.0 AVX 9 10.3 0 0.0 9 10.3 10 11.5 DRW 87 100.0 87 100.0 87 100.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 87 100.0 87 100.0 87 100.0 0 0.0 FPR 87 100.0 0 0.0 87 100.0 0 0.0 FSE 87 100.0 87 100.0 87 100.0 87 100.0 INO 87 100.0 86 98.9 87 100.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 87 100.0 87 100.0 87 100.0 0 0.0 NOD 87 100.0 0 0.0 87 100.0 87 100.0 NVC 87 100.0 0 0.0 87 100.0 0 0.0 PAV 87 100.0 87 100.0 87 100.0 87 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 74 85.1 RA7 0 0.0 0 0.0 0 0.0 0 0.0 SCN 87 100.0 87 100.0 0 0.0 0 0.0 VET 87 100.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table WNT.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under Windows NT: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 86 98.9 14 16.1 0 0.0 2852 99.5 AVK 87 100.0 5 5.7 2 2.3 2819 98.3 AVP 87 100.0 4 4.6 1 1.1 2820 98.4 AVX 9 10.3 2 2.3 2 2.3 164 5.7 DRW 87 100.0 4 4.6 2 2.3 2865 99.9 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 87 100.0 0 0.0 0 0.0 2867 100.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 87 100.0 9 10.3 1 1.1 2866 100.0 NOD 87 100.0 10 11.5 13 14.9 2819 98.3 NVC 87 100.0 6 6.9 1 1.1 2866 100.0 PAV 87 100.0 4 4.6 1 1.1 2820 98.4 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 87 100.0 9 10.3 0 0.0 2867 100.0 VET 87 100.0 5 5.7 4 4.6 2863 99.9 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 87 100.0 5 5.7 0 0.0 2867 100.0 AVP 87 100.0 4 4.6 0 0.0 2867 100.0 AVX 0 0.0 0 0.0 0 0.0 0 0.0 DRW 87 100.0 4 4.6 2 2.3 2865 99.9 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 86 98.9 0 0.0 86 98.9 96 3.3 IRS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 87 100.0 9 10.3 1 1.1 2866 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 87 100.0 4 4.6 0 0.0 2867 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 87 100.0 9 10.3 0 0.0 2867 100.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 86 98.9 19 21.8 0 0.0 2852 99.5 AVK 87 100.0 5 5.7 0 0.0 2867 100.0 AVP 87 100.0 4 4.6 0 0.0 2867 100.0 AVX 9 10.3 0 0.0 1 1.1 161 5.6 DRW 87 100.0 4 4.6 2 2.3 2865 99.9 DSS 87 100.0 9 10.3 0 0.0 2867 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 87 100.0 0 0.0 1 1.1 2866 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 87 100.0 0 0.0 0 0.0 2867 100.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 87 100.0 9 10.3 1 1.1 2866 100.0 NOD 87 100.0 10 11.5 13 14.9 2819 98.3 NVC 87 100.0 6 6.9 1 1.1 2866 100.0 PAV 87 100.0 4 4.6 0 0.0 2867 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under Windows NT: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 87 100.0% % % 2867 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 87 100.0 5 5.7 0 0.0 2867 100.0 AVP 87 100.0 4 4.6 0 0.0 2867 100.0 AVX 10 11.5 2 2.3 3 3.4 198 6.9 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 1 1.1 0 0.0 1 1.1 1 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 87 100.0 10 11.5 13 14.9 2819 98.3 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 87 100.0 4 4.6 0 0.0 2867 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 74 85.1 2 2.3 23 26.4 1962 68.4 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "false positives" under Windows NT: ============================================================== Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ----------------------------------------------------------- Testbed 30 100.0% % % 3300 100.0% ----------------------------------------------------------- AVA 1 3.3 0 0.0 1 3.3 1 0.0 AVG 1 3.3 0 0.0 1 3.3 1 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 AVX 4 13.3 0 0.0 4 13.3 7 0.2 DRW 8 26.7 0 0.0 8 26.7 9 0.3 DSS 1 3.3 0 0.0 1 3.3 1 0.0 DWW 9 30.0 0 0.0 9 30.0 10 0.3 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 2 6.7 0 0.0 2 6.7 4 0.1 IRS 2 6.7 0 0.0 2 6.7 4 0.1 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 7 23.3 0 0.0 7 23.3 7 0.2 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VET 1 3.3 0 0.0 1 3.3 1 0.0 VSP 16 53.3 0 0.0 16 53.3 23 0.7 ----------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows NT: ======================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2485 100.0% % % 3853 100.0% ---------------------------------------------------------- AVA 1647 66.3 54 2.2 13 0.5 2461 63.9 AVG 1637 65.9 20 0.8 17 0.7 2261 58.7 AVK 2356 94.8 44 1.8 7 0.3 3548 92.1 AVP 2359 94.9 43 1.7 6 0.2 3552 92.2 AVX 1460 58.8 30 1.2 27 1.1 1962 50.9 DRW 1565 63.0 23 0.9 13 0.5 2394 62.1 DSS 2426 97.6 33 1.3 5 0.2 3774 97.9 DWW 1849 74.4 22 0.9 14 0.6 2766 71.8 FPR 2216 89.2 16 0.6 28 1.1 3403 88.3 FSE 2469 99.4 60 2.4 3 0.1 3830 99.4 INO 2193 88.2 38 1.5 11 0.4 3328 86.4 IRS 2178 87.6 39 1.6 9 0.4 3305 85.8 NAV 2235 89.9 55 2.2 47 1.9 3390 88.0 NOD 1611 64.8 70 2.8 22 0.9 2360 61.3 NVC 1724 69.4 49 2.0 37 1.5 2706 70.2 PAV 2359 94.9 43 1.7 6 0.2 3552 92.2 PRO 291 11.7 2 0.1 37 1.5 382 9.9 RA7 1402 56.4 39 1.6 27 1.1 1942 50.4 RAV 1351 54.4 33 1.3 28 1.1 1836 47.7 SCN 2402 96.7 62 2.5 4 0.2 3739 97.0 VET 1023 41.2 4 0.2 40 1.6 1454 37.7 VSP 1891 76.1 139 5.6 34 1.4 2545 66.1 ---------------------------------------------------------- Table WNT.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 2874 100.0% % % 7765 100.0% ---------------------------------------------------------- AVA 2737 95.2 17 0.6 7 0.2 7471 96.2 AVG 2371 82.5 9 0.3 12 0.4 6395 82.4 AVK 2863 99.6 51 1.8 0 0.0 7747 99.8 AVP 2850 99.2 41 1.4 0 0.0 7731 99.6 AVX 2843 98.9 40 1.4 70 2.4 7619 98.1 DRW 2825 98.3 45 1.6 5 0.2 7674 98.8 DSS 2874 100.0 9 0.3 0 0.0 7765 100.0 DWW 2823 98.2 45 1.6 5 0.2 7672 98.8 FPR 2868 99.8 22 0.8 2 0.1 7743 99.7 FSE 2874 100.0 24 0.8 0 0.0 7765 100.0 FWN 2864 99.7 29 1.0 0 0.0 7744 99.7 HMV 2860 99.5 28 1.0 10 0.3 7726 99.5 INO 2867 99.8 47 1.6 2 0.1 7745 99.7 IRS 2860 99.5 45 1.6 5 0.2 7724 99.5 IVB 2729 95.0 0 0.0 62 2.2 7307 94.1 NAV 2865 99.7 39 1.4 4 0.1 7741 99.7 NOD 2869 99.8 32 1.1 4 0.1 7750 99.8 NVC 2843 98.9 30 1.0 3 0.1 7694 99.1 PAV 2857 99.4 51 1.8 0 0.0 7741 99.7 PRO 1668 58.0 1 0.0 53 1.8 4413 56.8 RA7 2852 99.2 66 2.3 1 0.0 7725 99.5 RAV 2850 99.2 66 2.3 4 0.1 7716 99.4 SCN 2874 100.0 139 4.8 0 0.0 7765 100.0 VET 2726 94.9 2 0.1 4 0.1 7501 96.6 VSP 2493 86.7 1742 60.6 0 0.0 6795 87.5 ---------------------------------------------------------- Table WNT.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows NT: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 83 100.0 1 1.2 0 0.0 675 100.0 AVG 83 100.0 1 1.2 1 1.2 674 99.9 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 2 2.4 0 0.0 675 100.0 AVX 83 100.0 4 4.8 2 2.4 669 99.1 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 83 100.0 3 3.6 0 0.0 675 100.0 FPR 83 100.0 2 2.4 0 0.0 675 100.0 FSE 83 100.0 2 2.4 0 0.0 675 100.0 FWN 83 100.0 1 1.2 0 0.0 675 100.0 HMV 83 100.0 2 2.4 3 3.6 670 99.3 INO 83 100.0 4 4.8 1 1.2 674 99.9 IRS 83 100.0 4 4.8 1 1.2 674 99.9 IVB 83 100.0 0 0.0 4 4.8 663 98.2 NAV 83 100.0 1 1.2 0 0.0 675 100.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 NVC 83 100.0 1 1.2 0 0.0 675 100.0 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 52 62.7 1 1.2 14 16.9 473 70.1 RA7 83 100.0 1 1.2 1 1.2 674 99.9 RAV 83 100.0 1 1.2 3 3.6 670 99.3 SCN 83 100.0 6 7.2 0 0.0 675 100.0 VET 83 100.0 0 0.0 0 0.0 675 100.0 VSP 76 91.6 75 90.4 0 0.0 632 93.6 ----------------------------------------------------------- Table W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per Packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 83 100.0 83 100.0 83 100.0 83 100.0 ---------------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 83 100.0 0 0.0 83 100.0 0 0.0 AVK 83 100.0 83 100.0 83 100.0 83 100.0 AVP 83 100.0 83 100.0 83 100.0 83 100.0 AVX 83 100.0 0 0.0 83 100.0 83 100.0 DRW 83 100.0 83 100.0 83 100.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 83 100.0 83 100.0 83 100.0 0 0.0 FPR 83 100.0 0 0.0 83 100.0 0 0.0 FSE 83 100.0 83 100.0 83 100.0 0 0.0 FWN 83 100.0 0 0.0 0 0.0 83 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 83 100.0 82 98.8 83 100.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 83 100.0 83 100.0 0 0.0 NOD 83 100.0 0 0.0 83 100.0 83 100.0 NVC 83 100.0 0 0.0 83 100.0 0 0.0 PAV 83 100.0 83 100.0 83 100.0 83 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 80 96.4 RA7 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 83 100.0 0 0.0 0 0.0 VET 83 100.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------------- Table WNT.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows NT: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 83 100.0 0 0.0 71 85.5 432 64.0 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 2 2.4 0 0.0 675 100.0 AVX 83 100.0 4 4.8 2 2.4 669 99.1 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 83 100.0 0 0.0 0 0.0 675 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 FWN 83 100.0 1 1.2 0 0.0 675 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 83 100.0 0 0.0 1 1.2 674 99.9 IRS 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 1 1.2 0 0.0 675 100.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 NVC 83 100.0 1 1.2 0 0.0 675 100.0 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 0 0.0 0 0.0 675 100.0 VET 83 100.0 0 0.0 0 0.0 675 100.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 2 2.4 0 0.0 675 100.0 AVX 0 0.0 0 0.0 0 0.0 0 0.0 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 82 98.8 0 0.0 81 97.6 82 12.1 IRS 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 1 1.2 0 0.0 675 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 83 100.0 0 0.0 0 0.0 675 100.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 83 100.0 1 1.2 1 1.2 674 99.9 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 2 2.4 0 0.0 675 100.0 AVX 83 100.0 4 4.8 2 2.4 669 99.1 DRW 83 100.0 3 3.6 0 0.0 675 100.0 DSS 83 100.0 0 0.0 0 0.0 675 100.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 83 100.0 0 0.0 0 0.0 675 100.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 83 100.0 0 0.0 1 1.2 674 99.9 IRS 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 83 100.0 1 1.2 0 0.0 675 100.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 NVC 83 100.0 1 1.2 0 0.0 675 100.0 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows NT: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 83 100.0% % % 675 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 83 100.0 3 3.6 0 0.0 675 100.0 AVP 83 100.0 2 2.4 0 0.0 675 100.0 AVX 83 100.0 4 4.8 2 2.4 669 99.1 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSS 0 0.0 0 0.0 0 0.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 FWN 83 100.0 1 1.2 0 0.0 675 100.0 HMV 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 IRS 0 0.0 0 0.0 0 0.0 0 0.0 IVB 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 83 100.0 2 2.4 3 3.6 670 99.3 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 83 100.0 3 3.6 0 0.0 675 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RA7 0 0.0 0 0.0 0 0.0 0 0.0 RAV 80 96.4 1 1.2 5 6.0 605 89.6 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VET 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table WNT.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows NT: ================================================================= Falsely This includes detected ---- unreliably ---- Files Scanner Viruses identified detected detected ----------------------------------------------------------- Testbed 25 100.0% % % 362 100.0% ----------------------------------------------------------- AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 1 4.0 0 0.0 1 4.0 1 0.3 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 2 8.0 0 0.0 2 8.0 4 1.1 AVX 25 100.0 2 8.0 20 80.0 308 85.1 DRW 20 80.0 0 0.0 20 80.0 106 29.3 DSS 0 0.0 0 0.0 0 0.0 0 0.0 DWW 21 84.0 0 0.0 21 84.0 110 30.4 FPR 3 12.0 0 0.0 3 12.0 4 1.1 FSE 3 12.0 0 0.0 3 12.0 4 1.1 FWN 23 92.0 0 0.0 23 92.0 193 53.3 HMV 7 28.0 0 0.0 7 28.0 11 3.0 INO 16 64.0 0 0.0 16 64.0 35 9.7 IRS 16 64.0 0 0.0 16 64.0 35 9.7 IVB 24 96.0 0 0.0 24 96.0 180 49.7 NAV 5 20.0 0 0.0 5 20.0 5 1.4 NOD 7 28.0 0 0.0 7 28.0 12 3.3 NVC 1 4.0 0 0.0 1 4.0 3 0.8 PAV 2 8.0 0 0.0 2 8.0 4 1.1 PRO 1 4.0 0 0.0 1 4.0 1 0.3 RA7 23 92.0 0 0.0 23 92.0 122 33.7 RAV 23 92.0 0 0.0 23 92.0 120 33.1 SCN 0 0.0 0 0.0 0 0.0 0 0.0 VET 8 32.0 0 0.0 8 32.0 17 4.7 VSP 25 100.0 25 100.0 0 0.0 362 100.0 ----------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table WNT.M5: "Macro-Malware": Results of "full" test for Macro-related malware under Windows NT: ========================================================= This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ---------------------------------------------------------- Testbed 142 100.0% % % 200 100.0% ---------------------------------------------------------- AVA 127 89.4 0 0.0 1 0.7 182 91.0 AVG 98 69.0 1 0.7 2 1.4 146 73.0 AVK 136 95.8 1 0.7 1 0.7 193 96.5 AVP 130 91.5 0 0.0 2 1.4 186 93.0 AVX 134 94.4 3 2.1 4 2.8 186 93.0 DRW 116 81.7 1 0.7 2 1.4 168 84.0 DSS 140 98.6 0 0.0 0 0.0 198 99.0 DWW 115 81.0 1 0.7 2 1.4 167 83.5 FPR 139 97.9 1 0.7 0 0.0 197 98.5 FSE 140 98.6 1 0.7 0 0.0 198 99.0 FWN 137 96.5 2 1.4 0 0.0 195 97.5 HMV 137 96.5 0 0.0 1 0.7 194 97.0 INO 136 95.8 0 0.0 3 2.1 191 95.5 IRS 135 95.1 0 0.0 3 2.1 190 95.0 IVB 118 83.1 0 0.0 1 0.7 167 83.5 NAV 130 91.5 0 0.0 1 0.7 184 92.0 NOD 137 96.5 1 0.7 0 0.0 195 97.5 NVC 128 90.1 2 1.4 1 0.7 184 92.0 PAV 134 94.4 1 0.7 1 0.7 191 95.5 PRO 38 26.8 0 0.0 3 2.1 70 35.0 RA7 139 97.9 1 0.7 1 0.7 196 98.0 RAV 138 97.2 1 0.7 1 0.7 195 97.5 SCN 140 98.6 0 0.0 0 0.0 198 99.0 VET 117 82.4 1 0.7 1 0.7 171 85.5 VSP 142 100.0 39 27.5 0 0.0 200 100.0 ----------------------------------------------------------