228 lines
8.7 KiB
Plaintext
228 lines
8.7 KiB
Plaintext
VIRUS TEST Nr. 003
|
|
|
|
-= SMEG Viruses =-
|
|
|
|
|
|
Copyright (C) 1994 Luca Sambucci
|
|
|
|
All rights reserved.
|
|
|
|
|
|
Italian Computer Antivirus Research Organization
|
|
|
|
|
|
|
|
The "Simulated Metamorphic Encryption Generator" is an engine
|
|
used to create polymorphic viruses. Some of these viruses seem
|
|
to be 'in the wild', especially in the United Kingdom.
|
|
|
|
At the moment there are three versions of the engine (v0.1, v0.2
|
|
and v0.3). For this test I've used one virus for each version:
|
|
Pathogen:SMEG.0.1 ; Queeg:SMEG.0.2 ; Trivia:SMEG.0.3
|
|
|
|
This is a second "bug fix" version of the previous SMEG test,
|
|
which had a few corrupted SMEG replications (damaged files instead
|
|
of 100% working viruses). I've used completely new replications,
|
|
and all of them are bug-free.
|
|
Also, for this test I've added the 0.3 version of the SMEG, and
|
|
I've included four new antivirus products (Dr. Solomon's AVTK,
|
|
IBM-Antivirus/DOS, Integrity Master and Virex).
|
|
|
|
Due to a technical problem I couldn't include the AVScan program,
|
|
I'll test it again the next time.
|
|
|
|
|
|
For the options used and for other products information, please
|
|
refer to the TESTINFO.ZIP file available at all our distribution
|
|
sites (a list of all sites is available at request).
|
|
|
|
|
|
|
|
The following products (scanners) have been tested:
|
|
|
|
Name Version Date (MM/DD/YY) Producer
|
|
=-----------------------------------------------------------=
|
|
|
|
AV Toolkit Pro (-V) 2.00e 07/13/94 KAMI Ltd.
|
|
|
|
AVTK (Findviru) 6.6 05/11/94 S&S Int. Ltd.
|
|
|
|
F-Prot 2.13a 07/27/94 Frisk Soft. Int.
|
|
|
|
IBM Antivirus/DOS 1.06 07/11/94 IBM Corp.
|
|
|
|
Integrity Master 2.22a 05/25/94 Stiller Research
|
|
|
|
Sweep 2.64 08/01/94 Sophos Plc
|
|
|
|
TBAV (TbScan) 6.22 07/11/94 ESaSS BV
|
|
|
|
Virex PC (VPCScan) 2.94 07/05/94 Datawatch Corp.
|
|
|
|
VirusScan 2.1.0 07/18/94 McAfee Inc.
|
|
|
|
|
|
|
|
|
|
TEST RESULTS
|
|
|
|
|
|
Pathogen:SMEG.0.1
|
|
|
|
|
|
For the test I've infected 1000 files (500 COM and 500 EXE)
|
|
with "Pathogen" replications.
|
|
|
|
|
|
Here the results (1000 replications):
|
|
|
|
|
|
| Antivirus |Rel. |Unrel. |Not | %Total |
|
|
| product |Identif.|Identif.|Detected |Detected |
|
|
=----------------+--------+--------+---------+=========+-=
|
|
AVP 2.00e | 1000 | 0 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
Findviru 6.6 | 1000 | 0 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
F-Prot 2.13a | 1000 | 0 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
IBMAV 1.06 | 0 | 1000 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
I-Master 2.22a | 0 | 1000 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
Sweep 2.64 | 1000 | 0 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
TbScan 6.22 | 0 | 393 | 607 < 39.30% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
VPCScan 2.94 | 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
VirusScan 2.1.0| 950 | 0 | 50 < 95.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
|
|
|
|
|
|
Queeg:SMEG.0.2
|
|
|
|
|
|
For the test I've infected 1000 files (500 COM and 500 EXE)
|
|
with "Queeg" replications.
|
|
|
|
|
|
Here the results (1000 replications):
|
|
|
|
|
|
| Antivirus |Rel. |Unrel. |Not | %Total |
|
|
| product |Identif.|Identif.|Detected |Detected |
|
|
=----------------+--------+--------+---------+=========+-=
|
|
AVP 2.00e | 1000 | 0 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
Findviru 6.6 | 1000 | 0 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
F-Prot 2.13a | 1000 | 0 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
IBMAV 1.06 | 0 | 1000 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
I-Master 2.22a | 0 | 1000 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
Sweep 2.64 | 0 | 631 | 369 < 63.10% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
TbScan 6.22 | 0 | 129 | 871 < 12.90% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
VPCScan 2.94 | 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
|
|
|
|
Note:
|
|
|
|
All "Queeg" replications detected by the Sweep have been
|
|
identificated as "Pathogen".
|
|
|
|
|
|
|
|
Trivia:SMEG.0.3
|
|
|
|
|
|
For the test I've infected 1000 files (1000 COM)
|
|
with "Trivia" replications.
|
|
|
|
|
|
Here the results (1000 replications):
|
|
|
|
|
|
| Antivirus |Rel. |Unrel. |Not | %Total |
|
|
| product |Identif.|Identif.|Detected |Detected |
|
|
=----------------+--------+--------+---------+=========+-=
|
|
AVP 2.00e | 0 | 1000 | 0 < 100.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
Findviru 6.6 | 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
F-Prot 2.13a | 0 | 891 | 109 < 89.10% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
IBMAV 1.06 | 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
I-Master 2.22a | 0 | 323 | 677 < 32.30% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
Sweep 2.64 | 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
TbScan 6.22 | 0 | 771 | 229 < 77.10% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
VPCScan 2.94 | 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% >
|
|
=----------------+--------+--------+---------+=========+-=
|
|
|
|
|
|
|
|
|
|
GLOBAL RESULTS SMEG viruses (3000 replications):
|
|
|
|
|
|
| Antivirus |%Detect.|%Detect.|%Detect. | %Total |
|
|
| product |Pathogen| Queeg | Trivia | SMEG |
|
|
=----------------+--------+--------+---------+========+--=
|
|
AVP 2.00e | 100.00%| 100.00%| 100.00% <100.00% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
Findviru 6.6 | 100.00%| 100.00%| 0.00% < 66.67% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
F-Prot 2.13a | 100.00%| 100.00%| 89.10% < 96.37% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
IBMAV 1.06 | 100.00%| 100.00%| 0.00% < 66.67% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
I-Master 2.22a | 100.00%| 100.00%| 32.30% < 77.43% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
Sweep 2.64 | 100.00%| 63.10%| 0.00% < 54.37% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
TbScan 6.22 | 39.30%| 12.90%| 77.10% < 43.10% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
VPCScan 2.94 | 0.00%| 0.00%| 0.00% < 0.00% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
VirusScan 2.1.0| 95.00%| 0.00%| 0.00% < 31.67% >
|
|
=----------------+--------+--------+---------+========+--=
|
|
|
|
|
|
|
|
LEGEND:
|
|
|
|
|
|
- Reliably identified: Detected with the correct name
|
|
(note: to be marked as "reliably identified" the scanner
|
|
must provide the "exact identification" of the virus.
|
|
An identification that provides the family name only
|
|
isn't exact enough)
|
|
|
|
- Unreliably identified: Detected with the wrong name, with the
|
|
heuristic/generic analyser, or like a "new" variant of the
|
|
virus
|
|
|
|
- Not detected: Not detected at all
|
|
|
|
- %Total Detected: The global detection rate (test set=100%)
|
|
|
|
|
|
|
|
Internet: luca.sambucci@ntgate.unisg.ch
|
|
FidoNet: Luca Sambucci 2:335/348.6
|
|
|