================================================= File 6FW98.TXT Detailed results of Macro Virus related on-demand scanner tests under Windows 98: ================================================= (Formatted with non-proportional font: Courier) The following tables summarize detection and identification quality concerning MACRO viruses as well as selected MACRO MALWARE, both in full "zoo" virus collection and for viral ITW testbed, under W-98. Moreover, results for detection of viruses in objects compressed with 4 popular packing methods are also given. Finally, a special test was performed concerning "false positive" virus detection of selected files which were deliberately chosen from available CD-ROMs and which were definitively clean of viruses. For discussion of results, see 7EVAL.txt and 0XECSUM.TXT. As usual, results may be influenced by problems experienced during tests; such problems are documented in 8PROBLMS.TXT. Index of tables: ---------------- W98.M1: "MacroVirus 1": Results of "full" test for macro viruses W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW file viruses packed with PKZIP, LHA, ARJ and RAR W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with PKZIP W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with LHA W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with ARJ W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW macro Viruses Packed with RAR W98.M4: "False Positive" detection: Results of "full" Zoo test for non-viral (clean) macro objects detected as "false positives" W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware W98.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses (esp. VBS, MIRC and JavaScript) Table W98.M1: "MacroVirus 1": Results of "full" zoo test for macro viruses under Windows 98: ====================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 5418 100.0% 15720 100.0% ----------------------------------------------------------- ANT 5224 96.4 132 2.4 37 0.7 15169 96.5 AVA 5100 94.1 34 0.6 32 0.6 14809 94.2 AVG 5305 97.9 21 0.4 10 0.2 15428 98.1 AVK 5417 100.0 81 1.5 1 0.0 15716 100.0 AVP 5417 100.0 81 1.5 1 0.0 15716 100.0 AVX 5364 99.0 356 6.6 6 0.1 15580 99.1 CMD 5418 100.0% 63 1.2 0 0.0 15720 100.0% DRW 5282 97.5 60 1.1 34 0.6 15395 97.9 DSE 5418 100.0% 39 0.7 0 0.0 15720 100.0% FPW 5418 100.0% 4 0.1 0 0.0 15720 100.0% FSE 5418 100.0% 5 0.1 0 0.0 15720 100.0% INO 5406 99.8 74 1.4 3 0.1 15688 99.8 NAV 5292 97.7 68 1.3 10 0.2 15324 97.5 NVC 5413 99.9 53 1.0 8 0.1 15685 99.8 PAV 5417 100.0 81 1.5 1 0.0 15716 100.0 PER 3639 67.2 73 1.3 23 0.4 10368 66.0 PRO 3745 69.1 0 0.0 111 2.0 10443 66.4 RAV 5252 96.9 212 3.9 12 0.2 15219 96.8 SCN 5416 100.0 0 0.0 0 0.0 15716 100.0 ----------------------------------------------------------- Remark: since test "2000-07", "100.0%" or "100%" denotes "exactly 100%", whereas "100.0" or "100.0~" denotes "100% rounded-up". Table W98.M2: "MacroVirus 2": Results of "In-The-Wild" test for macro viruses under Windows 98: ======================================================= This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 133 100.0 241 100.0 ---------------------------------------------------------- ANT 131 98.5 0 0.0 0 0.0 239 99.2 AVA 133 100.0% 0 0.0 0 0.0 241 100.0% AVG 133 100.0% 0 0.0 0 0.0 241 100.0% AVK 133 100.0% 0 0.0 0 0.0 241 100.0% AVP 133 100.0% 0 0.0 0 0.0 241 100.0% AVX 133 100.0% 21 15.8 0 0.0 241 100.0% CMD 133 100.0% 0 0.0 0 0.0 241 100.0% DRW 133 100.0% 1 0.8 0 0.0 241 100.0% DSE 133 100.0% 1 0.8 0 0.0 241 100.0% FPW 133 100.0% 0 0.0 0 0.0 241 100.0% FSE 133 100.0% 0 0.0 0 0.0 241 100.0% INO 133 100.0% 1 0.8 0 0.0 241 100.0% NAV 133 100.0% 1 0.8 0 0.0 241 100.0% NVC 133 100.0% 0 0.0 0 0.0 241 100.0% PAV 133 100.0% 0 0.0 0 0.0 241 100.0% PER 97 72.9 1 0.8 0 0.0 185 76.8 PRO 133 100.0% 0 0.0 0 0.0 241 100.0% QHL 116 87.2 9 6.8 3 2.3 212 88.0 RAV 133 100.0% 22 16.5 0 0.0 241 100.0% SCN 133 100.0% 0 0.0 0 0.0 241 100.0% ----------------------------------------------------------- Table W98.M3: "Comparison of Detection Rate of Packed Viruses": Results of Detection Rate of ITW macro viruses packed with PKZIP, LHA, ARJ and RAR ================================================================ This includes Viruses detected per packer Scanner ZIP % LHA % ARJ % RAR % ---------------------------------------------------------------- Testbed 137 100.0% 137 100.0% 137 100.0% 137 100.0% ---------------------------------------------------------------- ANT 134 97.8 134 97.8 134 97.8 134 97.8 AVA 137 100.0% 0 0.0 0 0.0 0 0.0 AVG 137 100.0% 0 0.0 137 100.0% 137 100.0% AVK 137 100.0% 137 100.0% 137 100.0% 137 100.0% AVP 137 100.0% 137 100.0% 137 100.0% 137 100.0% AVX 137 100.0% 137 100.0% 137 100.0% 137 100.0% CMD 137 100.0% 137 100.0% 137 100.0% 137 100.0% DRW 136 99.3 0 0.0 136 99.3 136 99.3 DSE 137 100.0% 137 100.0% 0 0.0 0 0.0 FPW 137 100.0% 0 0.0 137 100.0% 0 0.0 FSE 108 78.8 108 78.8 108 78.8 0 0.0 INO 137 100.0% 136 99.3 137 100.0% 0 0.0 NAV 137 100.0% 137 100.0% 137 100.0% 0 0.0 NVC 137 100.0% 0 0.0 137 100.0% 0 0.0 PAV 137 100.0% 137 100.0% 137 100.0% 137 100.0% PER 98 71.5 0 0.0 0 0.0 0 0.0 PRO 136 99.3 0 0.0 0 0.0 0 0.0 QHL 116 84.7 0 0.0 116 84.7 0 0.0 RAV 136 99.3 137 100.0% 137 100.0% 0 0.0 SCN 137 100.0% 137 100.0% 137 100.0% 137 100.0% ---------------------------------------------------------------- Table W98.M3a: "PKZIP-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with PKZIP under Windows 98: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 137 100.0% 0 0.0 1 0.7 246 99.6 AVG 137 100.0% 0 0.0 1 0.7 246 99.6 AVK 137 100.0% 0 0.0 1 0.7 246 99.6 AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 DSE 137 100.0% 1 0.7 1 0.7 246 99.6 FPW 137 100.0% 0 0.0 3 2.2 246 99.6 FSE 108 78.8 0 0.0 107 78.1 110 44.5 INO 137 100.0% 2 1.5 0 0.0 247 100.0% NAV 137 100.0% 1 0.7 1 0.7 246 99.6 NVC 137 100.0% 1 0.7 0 0.0 247 100.0% PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 98 71.5 1 0.7 0 0.0 186 75.3 PRO 136 99.3 1 0.7 1 0.7 245 99.2 QHL 116 84.7 5 3.6 3 2.2 212 85.8 RAV 136 99.3 21 15.3 2 1.5 244 98.8 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ----------------------------------------------------------- Table W98.M3b: "LHA-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with LHA under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ------------------------------------------------------------ Testbed 137 100.0% 247 100.0% ------------------------------------------------------------ ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 137 100.0% 0 0.0 1 0.7 246 99.6 AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 0 0.0 0 0.0 0 0.0 0 0.0 DSE 137 100.0% 1 0.7 1 0.7 246 99.6 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 108 78.8 0 0.0 107 78.1 110 44.5 INO 136 99.3 2 1.5 1 0.7 245 99.2 NAV 137 100.0% 1 0.7 1 0.7 246 99.6 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 137 100.0% 22 16.1 1 0.7 246 99.6 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ------------------------------------------------------------ Table W98.M3c: "ARJ-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with ARJ under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 137 100.0% 0 0.0 1 0.7 246 99.6 AVK 137 100.0% 0 0.0 1 0.7 246 99.6 AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPW 137 100.0% 0 0.0 3 2.2 246 99.6 FSE 108 78.8 0 0.0 107 78.1 110 44.5 INO 137 100.0% 2 1.5 0 0.0 247 100.0% NAV 137 100.0% 1 0.7 1 0.7 246 99.6 NVC 137 100.0% 1 0.7 0 0.0 247 100.0% PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 116 84.7 5 3.6 3 2.2 212 85.8 RAV 137 100.0 22 16.1 1 0.7 246 99.6 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ----------------------------------------------------------- Table W98.M3d: "RAR-Packed Macro Viruses": Results of Detection of ITW Macro Viruses Packed with RAR under Windows 98: ================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 137 100.0% 247 100.0% ----------------------------------------------------------- ANT 134 97.8 0 0.0 1 0.7 243 98.4 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 137 100.0% 0 0.0 1 0.7 246 99.6 AVK 137 100.0% 0 0.0 1 0.7 246 99.6 AVP 137 100.0% 1 0.7 0 0.0 247 100.0% AVX 137 100.0% 21 15.3 1 0.7 246 99.6 CMD 137 100.0% 0 0.0 1 0.7 246 99.6 DRW 136 99.3 1 0.7 1 0.7 245 99.2 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPW 0 0.0 0 0.0 0 0.0 0 0.0 FSE 0 0.0 0 0.0 0 0.0 0 0.0 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 0 0.0 0 0.0 0 0.0 0 0.0 NVC 0 0.0 0 0.0 0 0.0 0 0.0 PAV 137 100.0% 1 0.7 0 0.0 247 100.0% PER 0 0.0 0 0.0 0 0.0 0 0.0 PRO 0 0.0 0 0.0 0 0.0 0 0.0 QHL 0 0.0 0 0.0 0 0.0 0 0.0 RAV 0 0.0 0 0.0 0 0.0 0 0.0 SCN 137 100.0% 0 0.0 1 0.7 246 99.6 ----------------------------------------------------------- Table W98.M4: "False Positive" macro virus detection: Results of "full" zoo test for non-viral (clean) macro objects detected as "false positives" under Windows 98: ===================================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 26 100.0% 329 100.0% ----------------------------------------------------------- ANT 15 57.7 0 0.0 15 57.7 36 10.9 AVA 0 0.0 0 0.0 0 0.0 0 0.0 AVG 0 0.0 0 0.0 0 0.0 0 0.0 AVK 0 0.0 0 0.0 0 0.0 0 0.0 AVP 0 0.0 0 0.0 0 0.0 0 0.0 AVX 16 61.5 0 0.0 16 61.5 25 7.6 CMD 1 3.8 0 0.0 1 3.8 2 0.6 DRW 21 80.8 0 0.0 21 80.8 94 28.6 DSE 0 0.0 0 0.0 0 0.0 0 0.0 FPW 1 3.8 0 0.0 1 3.8 2 0.6 FSE 1 3.8 0 0.0 1 3.8 2 0.6 INO 0 0.0 0 0.0 0 0.0 0 0.0 NAV 4 15.4 0 0.0 4 15.4 4 1.2 NVC 3 11.5 0 0.0 3 11.5 5 1.5 PAV 0 0.0 0 0.0 0 0.0 0 0.0 PER 2 7.7 0 0.0 2 7.7 3 0.9 PRO 0 0.0 0 0.0 0 0.0 0 0.0 RAV 24 92.3 0 0.0 24 92.3 104 31.6 SCN 0 0.0 0 0.0 0 0.0 0 0.0 ----------------------------------------------------------- Remark: within 26 non-viral directories and totally 329 non- viral objects, at least one sample in N directories was falsely detected (N = number in column 1) Table W98.M5: "Macro-Malware": Results of "full" zoo test for Macro-related malware under Windows 98: =============================================================== This includes Malware ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 334 100.0% 500 100.0% ----------------------------------------------------------- ANT 269 80.5 4 1.2 4 1.2 412 82.4 AVA 241 72.2 3 0.9 3 0.9 364 72.8 AVG 267 79.9 3 0.9 5 1.5 414 82.8 AVK 328 98.2 0 0.0 0 0.0 494 98.8 AVP 328 98.2 0 0.0 0 0.0 494 98.8 AVX 313 93.7 14 4.2 4 1.2 474 94.8 CLE 0 0.0 0 0.0 0 0.0 0 0.0 CMD 334 100.0% 4 1.2 0 0.0 500 100.0% DRW 233 69.8 1 0.3 6 1.8 367 73.4 DSE 333 99.7 4 1.2 0 0.0 499 99.8 FPW 334 100.0% 1 0.3 0 0.0 500 100.0% FSE 333 99.7 0 0.0 0 0.0 499 99.8 INO 326 97.6 3 0.9 3 0.9 488 97.6 NAV 258 77.2 1 0.3 3 0.9 394 78.8 NVC 332 99.4 9 2.7 4 1.2 484 96.8 PAV 328 98.2 0 0.0 0 0.0 494 98.8 PER 198 59.3 4 1.2 5 1.5 300 60.0 PRO 181 54.2 0 0.0 7 2.1 247 49.4 QHL 207 62.0 5 1.5 17 5.1 287 57.4 RAV 300 89.8 16 4.8 6 1.8 447 89.4 SCN 324 97.0 0 0.0 0 0.0 490 98.0 ----------------------------------------------------------- Table W98.S1: "ScriptVirus 1": Results of partial Zoo test for script viruses under DOS: ===================================================== This includes Viruses ---- unreliably ---- Files Scanner detected identified detected detected ----------------------------------------------------------- Testbed 306 100.0% 527 100.0% ----------------------------------------------------------- ANT 169 55.2 6 2.0 15 4.9 321 60.9 AVA 46 15.0 1 0.3 4 1.3 164 31.1 AVK 279 91.2 19 6.2 4 1.3 491 93.2 AVP 270 88.2 20 6.5 2 0.7 474 89.9 AVX 188 61.4 3 1.0 25 8.2 358 67.9 CLE 13 4.2 0 0.0 6 2.0 24 4.6 CMD 286 93.5 1 0.3 0 0.0 502 95.3 DRW 183 59.8 5 1.6 10 3.3 311 59.0 DSE 293 95.8 11 3.6 0 0.0 509 96.6 FPW 278 90.8 3 1.0 2 0.7 487 92.4 FSE 296 96.7 1 0.3 0 0.0 514 97.5 INO 239 78.1 9 2.9 8 2.6 436 82.7 NAV 112 36.6 5 1.6 12 3.9 240 45.5 NVC 256 83.7 7 2.3 9 2.9 457 86.7 PAV 276 90.2 20 6.5 2 0.7 487 92.4 PER 55 18.0 0 0.0 9 2.9 124 23.5 PRO 37 12.1 0 0.0 12 3.9 132 25.0 QHL 21 6.9 0 0.0 3 1.0 38 7.2 RAV 144 47.1 6 2.0 10 3.3 274 52.0 SCN 293 95.8 1 0.3 0 0.0 509 96.6 -----------------------------------------------------------