================================================= File 6FW98.TXT Detailed results of File and Macro Virus related on-demand scanner tests under Windows 98: ================================================= (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning FILE and MACRO viruses as well as selected FILE and MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed. Additionally, test results are reported concerning detection of (6*10,000) viruses in a testbed with generations of 6 polymorphic file viruses, as well as a subset of 10,706 viruses generated from VKIT virus construction kit. Moreover, results for detection of viruses in files compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 6ASUMOV.TXT and 7EVAL.TXT. Results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- W98.F1: "FileVirus 1": Results of "full" Zoo test for file viruses W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses W98.FA: "Polyfile-Test": Results of Polymorphic test W98.FB: "VKIT Test": Results of VKIT file virus test W98.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR W98.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith PKZIP W98.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA W98.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ W98.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed wiith RAR W98.F4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) file samples detected as "False positives" W98.F5 "File Malware": Results of "full" Zoo test for File-related malware W98.M1: "MacroVirus 1": Results of "full" test for macro viruses W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR W98.M4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware Table W98.F1: "FileVirus 1": Results of "full" zoo test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 17561 100.0% % % 132576 100.0% ----------------------------------------------------------- AN5 15310 87.2 690 3.9 1242 7.1 113426 85.6 ANT 15189 86.5 678 3.9 1236 7.0 112304 84.7 AVG 15282 87.0 521 3.0 321 1.8 118701 89.5 AVK 17520 99.8 438 2.5 7 0.0 132514 100.0 AVP 17521 99.8 421 2.4 3 0.0 132520 100.0 AVS 17078 97.2 627 3.6 137 0.8 129499 97.7 AVX 13295 75.7 747 4.3 1185 6.7 96947 73.1 CMD 17280 98.4 62 0.4 37 0.2 131549 99.2 DWW 17261 98.3 474 2.7 185 1.1 130817 98.7 FPR 17458 99.4 16 0.1 8 0.0 132267 99.8 FPW 17423 99.2 10 0.1 10 0.1 132176 99.7 FSE 17537 99.9 152 0.9 6 0.0 132497 99.9 INO 17051 97.1 614 3.5 168 1.0 129252 97.5 MR2 11573 65.9 2368 13.5 849 4.8 82589 62.3 NAV 17131 97.6 1248 7.1 257 1.5 129967 98.0 NOD 17254 98.3 2071 11.8 257 1.5 130537 98.5 NVN 17389 99.0 1191 6.8 182 1.0 130922 98.8 NVC 17389 99.0 1191 6.8 182 1.0 130922 98.8 PAV 17492 99.6 423 2.4 15 0.1 132411 99.9 PRO 6984 39.8 461 2.6 842 4.8 56825 42.9 RAV 15264 86.9 1353 7.7 698 4.0 115877 87.4 SCN 17509 99.7 537 3.1 5 0.0 132172 99.7 SWP 17386 99.0 865 4.9 145 0.8 131675 99.3 TSC 9445 53.8 363 2.1 657 3.7 64703 48.8 VSP 13999 79.7 5143 29.3 1008 5.7 95814 72.3 ----------------------------------------------------------- Table W98.F2: "FileVirus 2": Results of "In-The-Wild" test for file viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AN5 46 100.0 4 8.7 6 13.0 1452 97.5 ANT 46 100.0 4 8.7 6 13.0 1452 97.5 AVG 46 100.0 8 17.4 3 6.5 1484 99.7 AVK 46 100.0 2 4.3 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 AVS 46 100.0 6 13.0 3 6.5 1483 99.6 AVX 40 87.0 1 2.2 7 15.2 1311 88.0 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FPW 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 3 6.5 1 2.2 1486 99.8 INO 45 97.8 4 8.7 3 6.5 1480 99.4 MR2 39 84.8 6 13.0 5 10.9 1340 90.0 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 46 100.0 10 21.7 3 6.5 1486 99.8 NV5 46 100.0 4 8.7 1 2.2 1488 99.9 NVC 46 100.0 4 8.7 1 2.2 1488 99.9 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 46 100.0 6 13.0 14 30.4 1391 93.4 RAV 45 97.8 4 8.7 5 10.9 1468 98.6 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 46 100.0 4 8.7 1 2.2 1488 99.9 TSC 41 89.1 4 8.7 7 15.2 1384 92.9 VSP 36 78.3 12 26.1 6 13.0 1319 88.6 ----------------------------------------------------------- Table W98.FA: "Polyfile-Test": Results of Polymorphic test ========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 6 100.0% % % 60000 100.0% ----------------------------------------------------------- AN5 6 100.0 1 16.7 0 0.0 60000 100.0 ANT 6 100.0 0 0.0 0 0.0 60000 100.0 AVG 6 100.0 0 0.0 0 0.0 60000 100.0 AVK 6 100.0 0 0.0 0 0.0 60000 100.0 AVP 6 100.0 0 0.0 0 0.0 60000 100.0 AVS 6 100.0 2 33.3 1 16.7 59999 100.0 AVX 5 83.3 0 0.0 2 33.3 49981 83.3 CMD 6 100.0 1 16.7 0 0.0 60000 100.0 DWW 6 100.0 0 0.0 0 0.0 60000 100.0 FPR 6 100.0 1 16.7 1 16.7 59999 100.0 FPW 6 100.0 1 16.7 0 0.0 60000 100.0 FSE 6 100.0 1 16.7 0 0.0 60000 100.0 INO 6 100.0 2 33.3 0 0.0 60000 100.0 MR2 6 100.0 3 50.0 1 16.7 59997 100.0 NAV 6 100.0 3 50.0 0 0.0 60000 100.0 NOD 6 100.0 0 0.0 0 0.0 60000 100.0 NV5 6 100.0 1 16.7 0 0.0 60000 100.0 NVC 6 100.0 1 16.7 0 0.0 60000 100.0 PAV 6 100.0 0 0.0 0 0.0 60000 100.0 PRO 5 83.3 0 0.0 3 50.0 35468 59.1 RAV 6 100.0 0 0.0 0 0.0 60000 100.0 SCN 6 100.0 1 16.7 1 16.7 59997 100.0 SWP 6 100.0 1 16.7 1 16.7 59997 100.0 TSC 6 100.0 0 0.0 2 33.3 51308 85.5 VSP 6 100.0 2 33.3 3 50.0 58857 98.1 ----------------------------------------------------------- Remark: For 6 polymorphic viruses (with Maltese Amoeba, MTE.Encroacher.B, NATAS, TREMOR as in the previous test, plus One-Half and Tequila added in this test), 10,000 generations each were produced with VTCs dynamic polymorphic generation and test engine. For each virus, 100 directories including infected objects with goat files of lengths ranging from 1 kByte to 100 kByte were generated. Table W98.FB: "VKIT Test": Results of VKIT file virus test ========================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 10706 100.0% % % 104640 100.0% ----------------------------------------------------------- AN5 3673 34.3 98 0.9 869 8.1 34773 33.2 ANT 3673 34.3 97 0.9 869 8.1 34773 33.2 AVG 10118 94.5 806 7.5 379 3.5 96727 92.4 AVK 10706 100.0 1198 11.2 0 0.0 104640 100.0 AVP 10706 100.0 1198 11.2 0 0.0 104640 100.0 AVS 10706 100.0 1642 15.3 23 0.2 104595 100.0 AVX 9434 88.1 16 0.1 8543 79.8 29318 28.0 CMD 10704 100.0 976 9.1 7 0.1 104614 100.0 DWW 10704 100.0 1005 9.4 16 0.1 104572 99.9 FPR 10704 100.0 1433 13.4 5 0.0 104631 100.0 FPW 10704 100.0 1431 13.4 7 0.1 104614 100.0 FSE 10706 100.0 983 9.2 0 0.0 104640 100.0 INO 10703 100.0 1261 11.8 8 0.1 104578 99.9 MR2 10706 100.0 7805 72.9 0 0.0 104640 100.0 NAV 10696 99.9 639 6.0 120 1.1 103947 99.3 NOD 10704 100.0 3000 28.0 5 0.0 104632 100.0 NV5 10704 100.0 6198 57.9 327 3.1 102040 97.5 NVC 10704 100.0 6198 57.9 327 3.1 102040 97.5 PAV 10706 100.0 1198 11.2 0 0.0 104640 100.0 PRO 192 1.8 0 0.0 153 1.4 991 0.9 RAV 10704 100.0 1630 15.2 7 0.1 104621 100.0 SCN 10706 100.0 1239 11.6 0 0.0 104640 100.0 SWP 10706 100.0 4781 44.7 1 0.0 104639 100.0 TSC 10704 100.0 1260 11.8 12 0.1 104616 100.0 VSP 10706 100.0 8999 84.1 0 0.0 104640 100.0 ----------------------------------------------------------- Remark: A testbed of 10,706 viruses generated with the VKIT virus generator (out of about 14,000 viruses which can be generated) was used to test detection quality. This test was separated from the "normal" file virus test as 1) there is no agreement between AV producers whether viruses from VKIT should be counted just as 1 or as 14,000 different viruses (boasting number of detected viruses to over 40,000), and 2) because of the large size of this special testbed. Table W98.F3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % ARJ % RAR % LHA % ---------------------------------------------------------- Testbed 46 100.0% 46 100.0% 46 100.0% 46 100.0% ---------------------------------------------------------- AN5 43 93.5 44 95.7 0 0.0 44 95.7 AVG 45 97.8 45 97.8 0 0.0 0 0.0 AVK 46 100.0 46 100.0 46 100.0 46 100.0 AVP 46 100.0 46 100.0 46 100.0 46 100.0 CMD 46 100.0 46 100.0 0 0.0 0 0.0 DWW 46 100.0 46 100.0 46 100.0 0 0.0 FPR 46 100.0 46 100.0 0 0.0 0 0.0 FPW 46 100.0 46 100.0 0 0.0 0 0.0 FSE 46 100.0 46 100.0 46 100.0 46 100.0 INO 45 97.8 46 100.0 0 0.0 46 100.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 46 100.0 0 0.0 46 100.0 NOD 46 100.0 46 100.0 46 100.0 0 0.0 NV5 46 100.0 46 100.0 0 0.0 0 0.0 NVC 46 100.0 46 100.0 0 0.0 0 0.0 PAV 46 100.0 46 100.0 46 100.0 46 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 45 97.8 45 97.8 0 0.0 45 97.8 SCN 46 100.0 46 100.0 0 0.0 46 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 --------------------------------------------------------------- Table W98.F3a: "PKZIP-Packed File Viruses": Results of Detection of ITW File Viruses Packed with PKZIP under Windows 98: ==================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AN5 43 93.5 4 8.7 6 13.0 1338 89.9 AVG 45 97.8 8 17.4 3 6.5 1469 98.7 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FPW 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 2 4.3 1 2.2 1487 99.9 INO 45 97.8 0 0.0 2 4.3 1466 98.5 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 NV5 46 100.0 4 8.7 1 2.2 1488 99.9 NVC 46 100.0 4 8.7 1 2.2 1488 99.9 PAV 46 100.0 2 4.3 2 4.3 1439 96.6 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 45 97.8 2 4.3 18 39.1 1451 97.4 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F3b: "LHA-Packed File Viruses": Results of Detection of ITW File Viruses Packed with LHA under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AN5 44 95.7 4 8.7 6 13.0 1348 90.5 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 46 100.0 1 2.2 1 2.2 1487 99.9 INO 46 100.0 0 0.0 8 17.4 1302 87.4 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NV5 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 45 97.8 4 8.7 8 17.4 1428 95.9 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F3c: "ARJ-Packed File Viruses": Results of Detection of ITW File Viruses Packed with ARJ under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AN5 44 95.7 4 8.7 6 13.0 1348 90.5 AVG 45 97.8 8 17.4 3 6.5 1469 98.7 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 CMD 46 100.0 3 6.5 1 2.2 1488 99.9 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 46 100.0 1 2.2 0 0.0 1489 100.0 FPW 46 100.0 1 2.2 0 0.0 1489 100.0 FSE 46 100.0 1 2.2 1 2.2 1487 99.9 INO 46 100.0 0 0.0 3 6.5 1486 99.8 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 46 100.0 3 6.5 4 8.7 1481 99.5 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 NV5 46 100.0 4 8.7 1 2.2 1488 99.9 NVC 46 100.0 4 8.7 1 2.2 1488 99.9 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 45 97.8 4 8.7 5 10.9 1468 98.6 SCN 46 100.0 6 13.0 0 0.0 1489 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F3d: "RAR-Packed File Viruses": Results of Detection of ITW File Viruses Packed with RAR under Windows 98: ================================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 46 100.0% % % 1489 100.0% ----------------------------------------------------------- AN5 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 46 100.0 3 6.5 0 0.0 1489 100.0 AVP 46 100.0 2 4.3 0 0.0 1489 100.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 46 100.0 3 6.5 1 2.2 1487 99.9 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 46 100.0 2 4.3 1 2.2 1487 99.9 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 46 100.0 12 26.1 3 6.5 1486 99.8 NV5 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 46 100.0 2 4.3 1 2.2 1486 99.8 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.F4: "False Positive" detection: Results of "full" Zoo test for Non-viral (clean) samples detected as "false positives" under Windows 98: ================================================================ This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 30 100.0% % % 3300 100.0% ----------------------------------------------------------- AN5 1 3.3 0 0.0 1 3.3 1 0.0 ANT 1 3.3 0 0.0 1 3.3 1 0.0 AVG 1 3.3 0 0.0 1 3.3 1 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 AVS 1 3.3 0 0.0 1 3.3 1 0.0 AVX 6 20.0 0 0.0 6 20.0 10 0.3 CMD 1 3.3 0 0.0 1 3.3 1 0.0 DWW 8 26.7 0 0.0 8 26.7 9 0.3 FPR 15 50.0 0 0.0 15 50.0 22 0.7 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 2 6.7 0 0.0 2 6.7 4 0.1 MR2 10 33.3 0 0.0 10 33.3 13 0.4 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 8 26.7 0 0.0 8 26.7 8 0.2 NV5 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 8 26.7 0 0.0 8 26.7 9 0.3 ----------------------------------------------------------- Remark: within 30 non-viral directories and totally 3300 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.F5 "File Malware": Results of "full" zoo test for File-related malware under Windows 98: ======================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 3691 100.0% % % 6217 100.0% ----------------------------------------------------------- AN5 2419 65.5 64 1.7 67 1.8 3356 54.0 ANT 1914 51.9 47 1.3 54 1.5 2477 39.8 AVG 2123 57.5 26 0.7 49 1.3 2948 47.4 AVK 3218 87.2 69 1.9 22 0.6 5170 83.2 AVP 3221 87.3 68 1.8 21 0.6 5174 83.2 AVS 2231 60.4 63 1.7 30 0.8 3411 54.9 AVX 2011 54.5 42 1.1 54 1.5 2724 43.8 CMD 3085 83.6 21 0.6 44 1.2 5240 84.3 DWW 2501 67.8 23 0.6 32 0.9 3740 60.2 FPR 3182 86.2 4 0.1 42 1.1 5385 86.6 FPW 3131 84.8 1 0.0 41 1.1 5311 85.4 FSE 3533 95.7 94 2.5 16 0.4 6002 96.5 INO 2922 79.2 43 1.2 31 0.8 4637 74.6 MR2 1774 48.1 55 1.5 46 1.2 2220 35.7 NAV 3093 83.8 83 2.2 96 2.6 5225 84.0 NOD 2434 65.9 119 3.2 60 1.6 3505 56.4 NV5 2503 67.8 100 2.7 57 1.5 4088 65.8 NVC 2503 67.8 100 2.7 57 1.5 4088 65.8 PAV 3195 86.6 69 1.9 22 0.6 5141 82.7 PRO 456 12.4 6 0.2 44 1.2 671 10.8 RAV 1879 50.9 44 1.2 52 1.4 2579 41.5 SCN 3534 95.7 79 2.1 4 0.1 6018 96.8 SWP 2852 77.3 62 1.7 93 2.5 4547 73.1 TSC 1156 31.3 24 0.7 37 1.0 1431 23.0 VSP 2161 58.5 122 3.3 57 1.5 2972 47.8 ----------------------------------------------------------- Table W98.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 3546 100.0% % % 9731 100.0% ----------------------------------------------------------- AN5 3166 89.3 104 2.9 32 0.9 8669 89.1 ANT 3031 85.5 102 2.9 34 1.0 8388 86.2 AVG 3425 96.6 17 0.5 6 0.2 9396 96.6 AVK 3546 100.0 59 1.7 1 0.0 9728 100.0 AVP 3546 100.0 59 1.7 1 0.0 9728 100.0 AVS 3328 93.9 26 0.7 12 0.3 9209 94.6 AVX 3499 98.7 39 1.1 130 3.7 9471 97.3 CMD 3532 99.6 2 0.1 2 0.1 9684 99.5 DWW 3502 98.8 53 1.5 16 0.5 9596 98.6 FPR 3537 99.7 4 0.1 2 0.1 9700 99.7 FPW 3537 99.7 4 0.1 2 0.1 9700 99.7 FSE 3546 100.0 6 0.2 0 0.0 9731 100.0 FWN 3543 99.9 50 1.4 2 0.1 9725 99.9 INO 3478 98.1 52 1.5 7 0.2 9499 97.6 MR2 2302 64.9 136 3.8 29 0.8 6357 65.3 NAV 3501 98.7 44 1.2 6 0.2 9588 98.5 NOD 3546 100.0 24 0.7 1 0.0 9721 99.9 NV5 3531 99.6 36 1.0 10 0.3 9658 99.2 NVC 3531 99.6 36 1.0 10 0.3 9658 99.2 PAV 3504 86.7 63 1.6 1 0.0 9614 99.6 PRO 2196 61.9 3 0.1 57 1.6 5899 60.6 RAV 3478 98.1 112 3.2 7 0.2 9570 98.3 SCN 3540 99.8 17 0.5 1 0.0 9712 99.8 SWP 3494 98.5 107 3.0 4 0.1 9628 98.9 TSC 2302 64.9 143 4.0 29 0.8 6357 65.3 VSP 11 0.3 0 0.0 10 0.3 11 0.1 ----------------------------------------------------------- Table W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows 98: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 59 100.0% % % 506 100.0% ----------------------------------------------------------- AN5 57 96.6 3 5.1 3 5.1 482 95.3 ANT 57 96.6 3 5.1 3 5.1 482 95.3 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 AVS 59 100.0 1 1.7 0 0.0 506 100.0 AVX 59 100.0 4 6.8 4 6.8 495 97.8 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FPW 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 0 0.0 0 0.0 506 100.0 FWN 59 100.0 4 6.8 0 0.0 506 100.0 INO 58 98.3 4 6.8 0 0.0 494 97.6 MR2 36 61.0 6 10.2 2 3.4 372 73.5 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NV5 59 100.0 2 3.4 0 0.0 506 100.0 NVC 59 100.0 2 3.4 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 58 98.3 0 0.0 5 8.5 489 96.6 RAV 58 98.3 9 15.3 0 0.0 494 97.6 SCN 59 100.0 0 0.0 0 0.0 506 100.0 SWP 59 100.0 8 13.6 0 0.0 506 100.0 TSC 36 61.0 6 10.2 2 3.4 372 73.5 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % ARJ % RAR % LHA % ---------------------------------------------------------- Testbed 59 100.0% 59 100.0% 59 100.0% 59 100.0% ---------------------------------------------------------- AN5 57 96.6 57 96.6 0 0.0 57 96.6 AVG 59 100.0 59 100.0 0 0.0 0 0.0 AVK 59 100.0 59 100.0 59 100.0 59 100.0 AVP 59 100.0 59 100.0 59 100.0 59 100.0 CMD 59 100.0 59 100.0 0 0.0 0 0.0 DWW 59 100.0 59 100.0 59 100.0 0 0.0 FPR 59 100.0 59 100.0 0 0.0 0 0.0 FPW 59 100.0 59 100.0 0 0.0 0 0.0 FSE 59 100.0 59 100.0 59 100.0 59 100.0 FWN 59 100.0 0 0.0 59 100.0 0 0.0 INO 58 98.3 58 98.3 0 0.0 58 98.3 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 59 100.0 0 0.0 59 100.0 NOD 59 100.0 59 100.0 59 100.0 0 0.0 NV5 59 100.0 59 100.0 0 0.0 0 0.0 NVC 59 100.0 59 100.0 0 0.0 0 0.0 PAV 59 100.0 59 100.0 59 100.0 59 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 58 98.3 58 98.3 0 0.0 58 98.3 SCN 59 100.0 59 100.0 0 0.0 59 100.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ---------------------------------------------------------- Table W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows 98: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AN5 57 96.6 3 5.1 3 5.1 482 95.3 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FPW 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 59 100.0 4 6.8 1 1.7 483 95.5 INO 58 98.3 0 0.0 0 0.0 494 97.6 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NV5 59 100.0 2 3.4 0 0.0 506 100.0 NVC 59 100.0 2 3.4 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 58 98.3 9 15.3 1 1.7 493 97.4 SCN 59 100.0 0 0.0 1 1.7 499 98.6 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AN5 57 96.6 3 5.1 3 5.1 482 95.3 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 0 0.0 0 0.0 0 0.0 0 0.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 58 98.3 0 0.0 2 3.4 427 84.4 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 0 0.0 0 0.0 0 0.0 0 0.0 NV5 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 58 98.3 9 15.3 0 0.0 494 97.6 SCN 59 100.0 0 0.0 1 1.7 499 98.6 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AN5 57 96.6 3 5.1 3 5.1 482 95.3 AVG 59 100.0 1 1.7 0 0.0 506 100.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 CMD 59 100.0 0 0.0 0 0.0 506 100.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 59 100.0 0 0.0 0 0.0 506 100.0 FPW 59 100.0 0 0.0 0 0.0 506 100.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 0 0.0 0 0.0 0 0.0 0 0.0 INO 58 98.3 0 0.0 0 0.0 494 97.6 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 59 100.0 3 5.1 0 0.0 506 100.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NV5 59 100.0 2 3.4 0 0.0 506 100.0 NVC 59 100.0 2 3.4 0 0.0 506 100.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 58 98.3 9 15.3 0 0.0 494 97.6 SCN 59 100.0 0 0.0 1 1.7 499 98.6 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 59 100.0% % % 506 100.0% ----------------------------------------------------------- AN5 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 59 100.0 2 3.4 0 0.0 506 100.0 AVP 59 100.0 2 3.4 0 0.0 506 100.0 CMD 0 0.0 0 0.0 0 0.0 0 0.0 DWW 59 100.0 3 5.1 0 0.0 506 100.0 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 59 100.0 4 6.8 0 0.0 506 100.0 FWN 59 100.0 4 6.8 0 0.0 506 100.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 MR2 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NOD 59 100.0 3 5.1 0 0.0 506 100.0 NV5 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 59 100.0 4 6.8 0 0.0 506 100.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 0 0.0 0 0.0 0 0.0 0 0.0 TSC 0 0.0 0 0.0 0 0.0 0 0.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Table W98.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows 98: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Maximum 26 100.0% % % 329 100.0% ----------------------------------------------------------- AN5 15 57.7 0 0.0 15 57.7 36 10.9 ANT 0 0.0 0 0.0 0 0.0 0 0.0 AVG 5 19.2 0 0.0 5 19.2 7 2.1 AVK 4 15.4 0 0.0 4 15.4 4 1.2 AVP 5 19.2 0 0.0 5 19.2 8 2.4 AVS 0 0.0 0 0.0 0 0.0 0 0.0 AVX 26 100.0 2 7.7 21 80.8 277 84.2 CMD 3 11.5 0 0.0 3 11.5 3 0.9 DWW 22 84.6 0 0.0 22 84.6 95 28.9 FPR 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 5 19.2 0 0.0 5 19.2 8 2.4 FWN 24 92.3 0 0.0 24 92.3 173 52.6 INO 15 57.7 0 0.0 15 57.7 34 10.3 MR2 14 53.8 0 0.0 14 53.8 23 7.0 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NOD 5 19.2 0 0.0 5 19.2 6 1.8 NV5 1 3.8 0 0.0 1 3.8 3 0.9 NVC 1 3.8 0 0.0 1 3.8 3 0.9 PAV 6 23.1 0 0.0 6 23.1 12 3.6 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 24 92.3 0 0.0 24 92.3 104 31.6 SCN 0 0.0 0 0.0 0 0.0 0 0.0 SWP 3 11.5 0 0.0 3 11.5 4 1.2 TSC 14 53.8 0 0.0 14 53.8 23 7.0 VSP 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 25 non-viral directories and totally 362 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware under Windows 98: =============================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 167 100.0% % % 242 100.0% ----------------------------------------------------------- AN5 141 84.4 1 0.6 3 1.8 203 83.9 ANT 137 82.0 0 0.0 3 1.8 196 81.0 AVG 137 82.0 1 0.6 3 1.8 201 83.1 AVK 166 99.4 0 0.0 0 0.0 241 99.6 AVP 166 99.4 0 0.0 0 0.0 241 99.6 AVS 143 85.6 2 1.2 1 0.6 213 88.0 AVX 159 95.2 3 1.8 7 4.2 226 93.4 CMD 165 98.8 1 0.6 0 0.0 240 99.2 DWW 141 84.4 1 0.6 2 1.2 209 86.4 FPR 165 98.8 2 1.2 0 0.0 240 99.2 FPW 165 98.8 2 1.2 0 0.0 240 99.2 FSE 167 100.0 2 1.2 0 0.0 242 100.0 FWN 160 95.8 4 2.4 1 0.6 231 95.5 INO 152 91.0 1 0.6 4 2.4 222 91.7 MR2 112 67.1 5 3.0 2 1.2 165 68.2 NAV 157 94.0 0 0.0 2 1.2 229 94.6 NOD 167 100.0 1 0.6 0 0.0 242 100.0 NV5 152 91.0 3 1.8 1 0.6 217 89.7 NVC 152 91.0 3 1.8 1 0.6 217 89.7 PAV 163 97.6 0 0.0 0 0.0 237 97.9 PRO 48 28.7 0 0.0 3 1.8 87 36.0 RAV 161 96.4 2 1.2 4 2.4 229 94.6 SCN 167 100.0 0 0.0 0 0.0 242 100.0 SWP 94 56.3 1 0.6 7 4.2 139 57.4 TSC 112 67.1 5 3.0 2 1.2 165 68.2 VSP 2 1.2 0 0.0 0 0.0 2 0.8 -----------------------------------------------------------