VIRUS TEST Nr. 003 -= SMEG Viruses =- Copyright (C) 1994 Luca Sambucci All rights reserved. Italian Computer Antivirus Research Organization The "Simulated Metamorphic Encryption Generator" is an engine used to create polymorphic viruses. Some of these viruses seem to be 'in the wild', especially in the United Kingdom. At the moment there are three versions of the engine (v0.1, v0.2 and v0.3). For this test I've used one virus for each version: Pathogen:SMEG.0.1 ; Queeg:SMEG.0.2 ; Trivia:SMEG.0.3 This is a second "bug fix" version of the previous SMEG test, which had a few corrupted SMEG replications (damaged files instead of 100% working viruses). I've used completely new replications, and all of them are bug-free. Also, for this test I've added the 0.3 version of the SMEG, and I've included four new antivirus products (Dr. Solomon's AVTK, IBM-Antivirus/DOS, Integrity Master and Virex). Due to a technical problem I couldn't include the AVScan program, I'll test it again the next time. For the options used and for other products information, please refer to the TESTINFO.ZIP file available at all our distribution sites (a list of all sites is available at request). The following products (scanners) have been tested: Name Version Date (MM/DD/YY) Producer =-----------------------------------------------------------= AV Toolkit Pro (-V) 2.00e 07/13/94 KAMI Ltd. AVTK (Findviru) 6.6 05/11/94 S&S Int. Ltd. F-Prot 2.13a 07/27/94 Frisk Soft. Int. IBM Antivirus/DOS 1.06 07/11/94 IBM Corp. Integrity Master 2.22a 05/25/94 Stiller Research Sweep 2.64 08/01/94 Sophos Plc TBAV (TbScan) 6.22 07/11/94 ESaSS BV Virex PC (VPCScan) 2.94 07/05/94 Datawatch Corp. VirusScan 2.1.0 07/18/94 McAfee Inc. TEST RESULTS Pathogen:SMEG.0.1 For the test I've infected 1000 files (500 COM and 500 EXE) with "Pathogen" replications. Here the results (1000 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVP 2.00e | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Findviru 6.6 | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= F-Prot 2.13a | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= IBMAV 1.06 | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= I-Master 2.22a | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Sweep 2.64 | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= TbScan 6.22 | 0 | 393 | 607 < 39.30% > =----------------+--------+--------+---------+=========+-= VPCScan 2.94 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.1.0| 950 | 0 | 50 < 95.00% > =----------------+--------+--------+---------+=========+-= Queeg:SMEG.0.2 For the test I've infected 1000 files (500 COM and 500 EXE) with "Queeg" replications. Here the results (1000 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVP 2.00e | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Findviru 6.6 | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= F-Prot 2.13a | 1000 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= IBMAV 1.06 | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= I-Master 2.22a | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Sweep 2.64 | 0 | 631 | 369 < 63.10% > =----------------+--------+--------+---------+=========+-= TbScan 6.22 | 0 | 129 | 871 < 12.90% > =----------------+--------+--------+---------+=========+-= VPCScan 2.94 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= Note: All "Queeg" replications detected by the Sweep have been identificated as "Pathogen". Trivia:SMEG.0.3 For the test I've infected 1000 files (1000 COM) with "Trivia" replications. Here the results (1000 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVP 2.00e | 0 | 1000 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Findviru 6.6 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= F-Prot 2.13a | 0 | 891 | 109 < 89.10% > =----------------+--------+--------+---------+=========+-= IBMAV 1.06 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= I-Master 2.22a | 0 | 323 | 677 < 32.30% > =----------------+--------+--------+---------+=========+-= Sweep 2.64 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= TbScan 6.22 | 0 | 771 | 229 < 77.10% > =----------------+--------+--------+---------+=========+-= VPCScan 2.94 | 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% > =----------------+--------+--------+---------+=========+-= GLOBAL RESULTS SMEG viruses (3000 replications): | Antivirus |%Detect.|%Detect.|%Detect. | %Total | | product |Pathogen| Queeg | Trivia | SMEG | =----------------+--------+--------+---------+========+--= AVP 2.00e | 100.00%| 100.00%| 100.00% <100.00% > =----------------+--------+--------+---------+========+--= Findviru 6.6 | 100.00%| 100.00%| 0.00% < 66.67% > =----------------+--------+--------+---------+========+--= F-Prot 2.13a | 100.00%| 100.00%| 89.10% < 96.37% > =----------------+--------+--------+---------+========+--= IBMAV 1.06 | 100.00%| 100.00%| 0.00% < 66.67% > =----------------+--------+--------+---------+========+--= I-Master 2.22a | 100.00%| 100.00%| 32.30% < 77.43% > =----------------+--------+--------+---------+========+--= Sweep 2.64 | 100.00%| 63.10%| 0.00% < 54.37% > =----------------+--------+--------+---------+========+--= TbScan 6.22 | 39.30%| 12.90%| 77.10% < 43.10% > =----------------+--------+--------+---------+========+--= VPCScan 2.94 | 0.00%| 0.00%| 0.00% < 0.00% > =----------------+--------+--------+---------+========+--= VirusScan 2.1.0| 95.00%| 0.00%| 0.00% < 31.67% > =----------------+--------+--------+---------+========+--= LEGEND: - Reliably identified: Detected with the correct name (note: to be marked as "reliably identified" the scanner must provide the "exact identification" of the virus. An identification that provides the family name only isn't exact enough) - Unreliably identified: Detected with the wrong name, with the heuristic/generic analyser, or like a "new" variant of the virus - Not detected: Not detected at all - %Total Detected: The global detection rate (test set=100%) Internet: luca.sambucci@ntgate.unisg.ch FidoNet: Luca Sambucci 2:335/348.6