VIRUS TEST Nr. 003
-= SMEG Viruses =-
Copyright (C) 1994 Luca Sambucci
All rights reserved.
Italian Computer Antivirus Research Organization
The "Simulated Metamorphic Encryption Generator" is an engine
used to create polymorphic viruses. Some of these viruses seem
to be 'in the wild', especially in the United Kingdom.
At the moment there are three versions of the engine (v0.1, v0.2
and v0.3). For this test I've used one virus for each version:
Pathogen:SMEG.0.1 ; Queeg:SMEG.0.2 ; Trivia:SMEG.0.3
This is a second "bug fix" version of the previous SMEG test,
which had a few corrupted SMEG replications (damaged files instead
of 100% working viruses). I've used completely new replications,
and all of them are bug-free.
Also, for this test I've added the 0.3 version of the SMEG, and
I've included four new antivirus products (Dr. Solomon's AVTK,
IBM-Antivirus/DOS, Integrity Master and Virex).
Due to a technical problem I couldn't include the AVScan program,
I'll test it again the next time.
For the options used and for other products information, please
refer to the TESTINFO.ZIP file available at all our distribution
sites (a list of all sites is available at request).
The following products (scanners) have been tested:
Name Version Date (MM/DD/YY) Producer
=-----------------------------------------------------------=
AV Toolkit Pro (-V) 2.00e 07/13/94 KAMI Ltd.
AVTK (Findviru) 6.6 05/11/94 S&S Int. Ltd.
F-Prot 2.13a 07/27/94 Frisk Soft. Int.
IBM Antivirus/DOS 1.06 07/11/94 IBM Corp.
Integrity Master 2.22a 05/25/94 Stiller Research
Sweep 2.64 08/01/94 Sophos Plc
TBAV (TbScan) 6.22 07/11/94 ESaSS BV
Virex PC (VPCScan) 2.94 07/05/94 Datawatch Corp.
VirusScan 2.1.0 07/18/94 McAfee Inc.
TEST RESULTS
Pathogen:SMEG.0.1
For the test I've infected 1000 files (500 COM and 500 EXE)
with "Pathogen" replications.
Here the results (1000 replications):
| Antivirus |Rel. |Unrel. |Not | %Total |
| product |Identif.|Identif.|Detected |Detected |
=----------------+--------+--------+---------+=========+-=
AVP 2.00e | 1000 | 0 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
Findviru 6.6 | 1000 | 0 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
F-Prot 2.13a | 1000 | 0 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
IBMAV 1.06 | 0 | 1000 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
I-Master 2.22a | 0 | 1000 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
Sweep 2.64 | 1000 | 0 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
TbScan 6.22 | 0 | 393 | 607 < 39.30% >
=----------------+--------+--------+---------+=========+-=
VPCScan 2.94 | 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
VirusScan 2.1.0| 950 | 0 | 50 < 95.00% >
=----------------+--------+--------+---------+=========+-=
Queeg:SMEG.0.2
For the test I've infected 1000 files (500 COM and 500 EXE)
with "Queeg" replications.
Here the results (1000 replications):
| Antivirus |Rel. |Unrel. |Not | %Total |
| product |Identif.|Identif.|Detected |Detected |
=----------------+--------+--------+---------+=========+-=
AVP 2.00e | 1000 | 0 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
Findviru 6.6 | 1000 | 0 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
F-Prot 2.13a | 1000 | 0 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
IBMAV 1.06 | 0 | 1000 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
I-Master 2.22a | 0 | 1000 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
Sweep 2.64 | 0 | 631 | 369 < 63.10% >
=----------------+--------+--------+---------+=========+-=
TbScan 6.22 | 0 | 129 | 871 < 12.90% >
=----------------+--------+--------+---------+=========+-=
VPCScan 2.94 | 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
Note:
All "Queeg" replications detected by the Sweep have been
identificated as "Pathogen".
Trivia:SMEG.0.3
For the test I've infected 1000 files (1000 COM)
with "Trivia" replications.
Here the results (1000 replications):
| Antivirus |Rel. |Unrel. |Not | %Total |
| product |Identif.|Identif.|Detected |Detected |
=----------------+--------+--------+---------+=========+-=
AVP 2.00e | 0 | 1000 | 0 < 100.00% >
=----------------+--------+--------+---------+=========+-=
Findviru 6.6 | 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
F-Prot 2.13a | 0 | 891 | 109 < 89.10% >
=----------------+--------+--------+---------+=========+-=
IBMAV 1.06 | 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
I-Master 2.22a | 0 | 323 | 677 < 32.30% >
=----------------+--------+--------+---------+=========+-=
Sweep 2.64 | 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
TbScan 6.22 | 0 | 771 | 229 < 77.10% >
=----------------+--------+--------+---------+=========+-=
VPCScan 2.94 | 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
VirusScan 2.1.0| 0 | 0 | 1000 < 0.00% >
=----------------+--------+--------+---------+=========+-=
GLOBAL RESULTS SMEG viruses (3000 replications):
| Antivirus |%Detect.|%Detect.|%Detect. | %Total |
| product |Pathogen| Queeg | Trivia | SMEG |
=----------------+--------+--------+---------+========+--=
AVP 2.00e | 100.00%| 100.00%| 100.00% <100.00% >
=----------------+--------+--------+---------+========+--=
Findviru 6.6 | 100.00%| 100.00%| 0.00% < 66.67% >
=----------------+--------+--------+---------+========+--=
F-Prot 2.13a | 100.00%| 100.00%| 89.10% < 96.37% >
=----------------+--------+--------+---------+========+--=
IBMAV 1.06 | 100.00%| 100.00%| 0.00% < 66.67% >
=----------------+--------+--------+---------+========+--=
I-Master 2.22a | 100.00%| 100.00%| 32.30% < 77.43% >
=----------------+--------+--------+---------+========+--=
Sweep 2.64 | 100.00%| 63.10%| 0.00% < 54.37% >
=----------------+--------+--------+---------+========+--=
TbScan 6.22 | 39.30%| 12.90%| 77.10% < 43.10% >
=----------------+--------+--------+---------+========+--=
VPCScan 2.94 | 0.00%| 0.00%| 0.00% < 0.00% >
=----------------+--------+--------+---------+========+--=
VirusScan 2.1.0| 95.00%| 0.00%| 0.00% < 31.67% >
=----------------+--------+--------+---------+========+--=
LEGEND:
- Reliably identified: Detected with the correct name
(note: to be marked as "reliably identified" the scanner
must provide the "exact identification" of the virus.
An identification that provides the family name only
isn't exact enough)
- Unreliably identified: Detected with the wrong name, with the
heuristic/generic analyser, or like a "new" variant of the
virus
- Not detected: Not detected at all
- %Total Detected: The global detection rate (test set=100%)
Internet: luca.sambucci@ntgate.unisg.ch
FidoNet: Luca Sambucci 2:335/348.6