VIRUS TEST Nr. 002 -= SMEG Viruses =- Copyright (C) 1994 Luca Sambucci All rights reserved. Italian Computer Antivirus Research Organization The "Simulated Metamorphic Encryption Engine" is a new engine used to create polymorphic viruses, some of these viruses seem to be 'in the wild' in the United Kingdom. At the moment there are three versions of the engine (v0.1, v0.2 and v0.3). For this test I've used two viruses created with the 0.1 and 0.2 versions of the engine, the "Pathogen" and the "Queeg" viruses. The option used are the same used for the June 1994 edition of the General Antivirus Test, except for the "/CPL" option for the AVScan (this product now scans inside compressed files by default). For all other information (product/producer information, legal issues etc.) please refer to the June 1994 edition of the General Antivirus Test (always available at request or at our official distribution sites). The following products have been tested: Name Version Date (MM/DD/YY) Producer =-----------------------------------------------------------= AVScan 1.58 06/18/94 H+BEDV GmbH AV Toolkit Pro 2.00d 06/20/94 KAMI Ltd. F-Prot 2.12c 06/16/94 Frisk Soft. Int. Sweep 2.63Beta 06/06/94 Sophos Plc ThunderByte AV 6.20 05/06/94 ESaSS BV ViruScan 9.28V116 06/15/94 McAfee Inc. VirusScan 2.0.2 06/02/94 McAfee Inc. TEST RESULTS SMEG v0.1 (Pathogen) For the test I've infected 996 files (496 COM and 500 EXE) with "Pathogen" replications. Here the results (996 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVScan 1.58 | 996 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= AVP 2.00d | 983 | 8 | 5 < 99.50% > =----------------+--------+--------+---------+=========+-= F-Prot 2.12c | 996 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= Sweep 2.63Beta | 996 | 0 | 0 < 100.00% > =----------------+--------+--------+---------+=========+-= TbScan 6.20 | 368 | 6 | 622 < 38.72% > =----------------+--------+--------+---------+=========+-= ViruScan 116 | 0 | 0 | 996 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.0.2| 0 | 0 | 996 < 0.00% > =----------------+--------+--------+---------+=========+-= SMEG v0.2 (Queeg) For the test I've infected 995 files (496 COM and 499 EXE) with "Queeg" replications. Here the results (995 replications): | Antivirus |Rel. |Unrel. |Not | %Total | | product |Identif.|Identif.|Detected |Detected | =----------------+--------+--------+---------+=========+-= AVScan 1.58 | 991 | 0 | 4 < 99.60% > =----------------+--------+--------+---------+=========+-= AVP 2.00d | 985 | 4 | 6 < 99.40% > =----------------+--------+--------+---------+=========+-= F-Prot 2.12c | 991 | 0 | 4 < 99.60% > =----------------+--------+--------+---------+=========+-= Sweep 2.63Beta | 0 | 616 | 379 < 61.91% > =----------------+--------+--------+---------+=========+-= TbScan 6.20 | 120 | 1 | 874 < 12.16% > =----------------+--------+--------+---------+=========+-= ViruScan 116 | 0 | 0 | 995 < 0.00% > =----------------+--------+--------+---------+=========+-= VirusScan 2.0.2| 0 | 0 | 995 < 0.00% > =----------------+--------+--------+---------+=========+-= Note: All "Queeg" replications detected by the Sweep have been identificated as "Pathogen". GLOBAL RESULTS SMEG viruses (1991 replications): | Antivirus |%Detected | %Detected | %Total | | product | Pathogen | Queeg | SMEG | =----------------+----------+-----------+========+--= AVScan 1.58 | 100.00% | 99.60% < 99.80% > =----------------+----------+-----------+========+--= AVP 2.00d | 99.50% | 99.40% < 99.45% > =----------------+----------+-----------+========+--= F-Prot 2.12c | 100.00% | 99.60% < 99.80% > =----------------+----------+-----------+========+--= Sweep 2.63Beta | 100.00% | 61.91% < 81.00% > =----------------+----------+-----------+========+--= TbScan 6.20 | 38.72% | 12.16% < 25.44% > =----------------+----------+-----------+========+--= ViruScan 116 | 0.00% | 0.00% < 0.00% > =----------------+----------+-----------+========+--= VirusScan 2.0.2| 0.00% | 0.00% < 0.00% > =----------------+----------+-----------+========+--= LEGEND: Reliably identified: Detected with the correct name Unreliably identified: Detected with the wrong name or with the heuristic analyser Not detected: Not detected at all %Total Detected: The global detection rate (test set=100%) Internet: luca.sambucci@ntgate.unisg.ch FidoNet: Luca Sambucci 2:335/348.6