home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 11
/
Cream of the Crop 11-2.iso
/
os2
/
virtst95.zip
/
WILD_VIR.TXT
< prev
next >
Wrap
Text File
|
1995-12-13
|
17KB
|
373 lines
This subreport presents how the 'In the Wild' test set was constructed.
Our previous analysis was used as a basis for the test set [Helenius 1994]. The
old test set included the following viruses, which were found in the field
according to antivirus researchers.
FILE VIRUSES:
10_PAST_3.748, 5LO, A&A, AMBULANCE.A, AMOEBA, ANTHRAX, ARARA, ARUSIEK,
BARROTES.1310.A, BEAST.A, BETTER_WORLD.D.A, BOOTEXE.451, BUDO.A, BUDO.B
BUTTERFLY.BUTTERFLY, CASCADE.1701.A, CASCADE.1704.A, CFSK, CHANGSHA.A, CHAOS.B,
CINDERELLA.A, CINDERELLA.B, CINDERELLA.C, CINDERELLA.II, COSSIGA.1361.A,
CPW.1527, CREW.1.A, CREW.1.B, CREW.1.C, CREW.2, DARK_AVENGER.1800.A,
DARK_AVENGER.2100.SI.A, DARK_AVENGER.FATHER, DARTH.3.A, DATALOCK.0828,
DATALOCK.0920.A, DBF.990, DEMOLITION, DESPERADO.A, DIAMOND.DIAMOND.1024.B,
DIR-II.A, DOS_HUNTER, DSME.TEACHER, EDDIE2.A, EKOTERROR, EMMIE.3097, FICHV.2_1,
FINNISH.357, FINNISH.709.A, FLIP.2153.A, FLIP.2343, FREDDY.2_1, FREELOVE,
FRODO.FRODO.A, GINGER, GREEN_CATERPILLAR.1575.A, GREEN_CATERPILLAR.1575.B,
GROWER, HELLOWEEN.1376.A, HITCHCOCK.1238, HI.460, HLLC.HALLEY, HLLC.SAUNA,
HLL.PASCAL.7808, HLL_C.EVENBEEP.LZ, HORSE.1576, IMMORTAL_RIOT.EXTASY,
IMMORTAL_RIOT.RAVAGE, INTERNAL.A, INVISIBEL.2926, INVOLUNTARY.A,
JAPANESE_XMAS.600.MERRY, JERUSALEM.1244, JERUSALEM.1808.BLANK.A,
JERUSALEM.1808.CT.A, JERUSALEM.1808.NULL.A, JERUSALEM.1808.STANDARD,
JERUSALEM.ANTICAD.4096.A, JERUSALEM.ANTICAD.4096.DANUBE,
JERUSALEM.ANTICAD.4096.MOZART, JERUSALEM.BARCELONA, JERUSALEM.CARFIELD,
JERUSALEM.FU_MANCHU.A, JERUSALEM.MOCTEZUMA, JERUSALEM.MUMMY.1_2,
JERUSALEM.PCVRSDS, JERUSALEM.SUNDAY.A, JERUSALEM.SUNDAY.II,
JERUSALEM.ZEROTIME.AUSTRALIAN.A, JIHUU.621, JIHUU.686, JSB, JUNKIE,
KAMPANA.3700, KEYPRESS.1232.A, KEYPRESS.1744, LAME, LAPSE.366, LIBERTY.A,
LIBERTY.B, LITTLE_BROTHER.307, LYCEUM.1788, MACGYVER.2083.B,
MAGNITOGORSK.2048.A, MALTESE_AMBOEBA, MIRROROPPER, MR_VIRUS,
MTE_0_90.COFFEE_SHOP, MTE_0_90.POGUE, MURPHY.SMACK.1841, MYSTIC, NATAS.A,
NECROPOL.A, NECROS, NICE.B, NOFRILLS.DUDLEY, NOFRILLS.NOFRILLS, NOMENKLATURA.A,
NOVEMBER_17TH.768.A, NOVEMBER_17TH.800, NOVEMBER_17TH.855.A, NPOX.0963.A,
NUMBER_1.FIIS, OLD_YANKEE.1, OLD_YANKEE.2, OMEGA, ONTARIO.1024, POWER_PUMP.1,
PREDATOR.2448, QUIT.A, QUIT.B, RELZFU, REST.1588, RIIHI, SATANBUG.A,
SCREAMING_FIST.696, SCREAMING_FIST.927, SILLYRC.302, SLEEP_WALKER, SPANZ,
STARDOT.789.A, STARDOT.801, STARSHIP, STNKFOOT.1, STUPID.1, SUOMI, SVC.1689.A,
SVC.2936, SVC.3103.A, SVC.3103.D, SWISS_PHOENIX, SYSLOCK.SYSLOCK.A, TEQUILA,
TREMOR, TRIVIAL.45.E, TROI.A, TROI_II, TROJECTOR.1463, TROJECTOR.1561, TV.1919,
V-1784, V2PX.V2P6.Z, VACSINA.PENZA, VACSINA.TP-5.A, VCL.CODE_ZERO,
VIENNA.0648.REBOOT, VIENNA.BETABOYS, VIENNA.VIOLATOR.1055, VIENNA.W13.507.A,
VIENNA.W13.507.B, VIENNA.W13.534.A, VMEM, VORONEZH.1600, WHALE, XPEH4.4928,
YAM.MATH.B, YANKEE.TP-39, YANKEE.TP-44.A, YANKEE.TP-44.WOBBLE.B, YEKE.1076,
ZERO_BUG.A, _825
BOOT SECTOR VIRUSES:
AIRCOP, ANTICMOS.A, ANTIEXE, BOOT-437, BOOTEXE.451, BRAIN.STANDARD,
DEN_ZUKO.1.A, DISK_KILLER, EXE_BUG.A, EXE_BUG.C, FILLER.B, FLAME, FORM.A,
FORM.D, FINNISH_SPRAYER, GALICIA, JERUSALM.ANTICAD.4096.MOZART, JOSHI.A,
JOSHI.B, JUMPER, KAMPANA.C, LZR, MISIS, MUSIC_BUG, NJH-LBC.A, PING-PONG.B,
PING-PONG.STANDARD.A, PRSCRBOO.A, PARITY_BOOT.A, PARITY_BOOT.B, QUOX, RIPPER,
STEALTH.B, STONED.16.A, STONED.AZUSA, STONED.BUNNY.A, STONED.DINAMO,
STONED.EMPIRE.IN_LOVE.A, STONED.EMPIRE.MONKEY.A, STONED.EMPIRE.MONKEY.B,
STONED.JUNE_4TH.A, STONED.MANITOBA, STONED.MICHELANGELO.A, STONED.NO_INT.A,
STONED.NOP, STONED.STANDARD.B, STONED.SWEDISH_DISASTER.STANDARD, STONED.V,
SWISS_BOOT, V-SIGN, W-BOOT
------------------------------------------------------------------------------
The old test set was sent for commenting to antivirus researchers.
The test base included a cross-reference so that receivers could verify
correct variants of the viruses. The following comments were received:
MESSAGE FROM MIKKO HYPPONEN (Data Fellows, F-PROT Professional)
Mikko Hypponen stated that since last summer they had found the following
viruses in the field. He also sent samples of these viruses.
Junkie.A,Freddy_Soft,AntiCMOS.A,B1,Kaos4.A,Tai-
pan.438,Lao_Doung,PHX.965,Goldbug,
Trojector.1561, Fairz, Error_Vir, VLamiX, Swiss_Boot, Catholic, Bait,
School_Suck,
Stoned.Dinamo, Michelangelo.L, AntiCMOS.B, Stoned.Angelina,Tai-Pan.666 Zed,
Backform.a, Natas.4744, Sampo, Mange-Tout.1099, Chinese_Fish, Cantando,
BootEXE.452, Lyceum.930, HLLC.Cumulus, Diskwasher, November_17th.768.C, Form.C,
Hemlock, Leandro, Misis, MacGyver.2803.B,
------------------------------------------------------------------------------
MESSAGE FROM EUGENE KASPERSKY: (Kami GROUP, AVP)
Second, I've received yout letter about wild viruses. I do not collect such
info (sorry, no time). But there are the viruses very wild in Russia:
Phantom1, both versions
DieHard2
OneHalf, (both?)
2UP
Nostardamus
3APA3A ('a' and 'b' strains)
CrazyBoot
------------------------------------------------------------------------------
Eugene also sent samples of Nostardamus, 2UP and Diehard2 viruses.
------------------------------------------------------------------------------
MESSAGE FROM JAKUB KAMINSKI (Cybec Pty. Ltd., VET)
Thanks for a copy of your proposed "in the wild" virus list. After checking it
I'd like to make a few comments:
- in Boot Sector Viruses section I would add some that have been around
for a while like: Junkie, YMP, J&M, CrazyBoot, Mongolian, DiskWasher and
some relatively new: Sampo, BUPT9146, Shin, OneHalf and DaBoys
- in File Viruses section I would add some of the newest and widely spread:
Doom.II.Death, Tai-Pan, KAOS4, Chill, Trakia, Vtech 4.0, Lemming, DieHard,
Vlamix
On the other hand, we haven't seen in the wild any of the high level language
(HLL*) viruses apart from EvenBeeper.A
Please, contact me if you have any questions.
------------------------------------------------------------------------------
MESSAGE FROM LUCA SAMBUCCI (I.C.A.R.O.):
Here the latest version of the internal "Wild-List" of the ICARO:
Italy:
Arianna.3375
B1 (common)
Benito
BUPT.1261 (New variant, I believe)
CFSK
Cascade.1701.A (common)
Cascade.1701.Jojo.D
Dark_Avenger.1800.A
Datalock.920.A
Demolition
Dirty
Flip.2153.A
Flip.2343
Form.A
Green_Caterpillar.1575.A
Invisible.2926
Jerusalem.1244
Jerusalem.1808.Standard
Jerusalem.1808.Umsdos
Junkie (common)
Mr_Virus
November_17th.768.A
November_17th.800.A
November_17th.855.A (common)
One_Half.3544
Ping_Pong.Standard.A
Polifemo
Ripper
RPS2
Stardot.600
Stardot.789.A
Stoned.Standard.A
Stoned.Standard.OW.A
Stoned.Standard.OW.B
Stoned.Standard.OW.C
Tequila
Thule
V-Sign (common)
Yankee_Doodle.TP-41
Yankee_Doodle.TP-44
Yankee_Doodle.Wobble.B
Yeke.1204 (common)
Switzerland:
Form.A
B1
I don't remember every single case. The Switzerland's reports were
from cases where students of my university were involved (notice:
the university was *not* infected, only the private computers of these
students).
------------------------------------------------------------------------------
MESSAGE FROM PETER HUBINSKY:
Peter Hubinsky stated these viruses as being absolutely wild in
Slovak and Czech. He also sent samples of these viruses.
One_Half.3544 (and rarely also One_Half.3577)
Explosion
J&M (aka Jimi, Hasita)
Helloween.1384 and also Helloween.1684 (aka Volkov)
------------------------------------------------------------------------------
MESSAGE FROM DMITRY GRYAZNOV (S&S International):
Dmitry Gryaznov sent their own list of viruses found on the wild at March
based on their technical support calls.
Virus name #of incidents
AntiCmos 3
Angelina 1
AntiExe/D3 13
Barrotes 1
Cascade 1
Crazyboot 1
Empire Monkey 17
EvenBeep 3
Exebug 3
Floss 1 =W-BOOT
Form 15
Jerusalem 2
Jumper 1
Junki 1
Maltese Amoeba 1
Mange Tout 1
Michelangelo 9
NYB 2
Natas 1
Nops 2
Parity Boot 10
Sampo 3
Scream 1
She Has 2
SillyBop 1
StoneHenge 2
Telefonica 4
V-Sign 3
Vacsina 1
WBoot 1
------------------------------------------------------------------------------
After receiving the messages Joe Well's list [Joe Wells] and received comments
were viewed and results were combined. The test bed included the following
viruses:
10_PAST_3.748, 5LO, A&A, AMBULANCE.A, AMOEBA.1392, ANTHRAX, ARARA.1038,
ARUSIEK, AVISPA.D, BACKFORM.1865.A, BAIT.425, BARROTES.1310.A, BEAST.A,
BEAST.E, BETTER_WORLD.A, BOOTEXE.451, BOOTEXE.452, BUDO.A, BUDO.B, BUPT.1261,
BUTTERFLY.BUTTERFLY, CANTANDO, CASCADE.1701.A, CASCADE.1701.G, CASCADE.1704.A,
CASCADE.1704.D, CATHOLIC.1129, CFSK, CHANGSHA.A, CHAOS.1181.B, CHILL.544,
CINDERELLA.A, CINDERELLA.B, CINDERELLA.C, CINDERELLA.II, COSSIGA.1361.A,
CPW.1527, CREW.1967, CREW.2480.A, CREW.2480.B, CREW.2480.C, CYBERCIDE.1307,
CZECH_HAPPY, DARK_AVENGER.1800.A, DARK_AVENGER.2100.SI.A, DARK_AVENGER.FATHER,
DARTH_VADER.255.B, DATALOCK.0828, DATALOCK.0920.A, DBF.990, DEMOLITION,
DESPERADO.A, DIAMOND.DIAMOND.1024.B, DIE_HARD, DIR_II.A, DOSHUNTER,
DSME.TEACHER, EDDIE-2.A, EKOTERROR, EMMIE.3097, ERROR.1231, EXPOLSION.I,
FICHV.903, FINNISH.357, FINNISH.709.A, FKREUGER, FLIP.2153.A, FLIP.2343,
FREDDY_SOFT, FRODO.FRODO.A, GINGER, GOLD_BUG.A, GREEN_CATERPILLAR.1575.A,
GREEN_CATERPILLAR.1575.B, GROWER, HELLOWEEN.1376.A, HELLOWEEN.1384,
HELLOWEEN.1684, HIDENOWT, HITCHCOCK.1238, HI.460, HLLC.CUMULUS,
HLLC.EVENBEEPER.B, HLLC.EVENBEEPER.LZ, HLLC.HALLEY, HLLC.SAUNA, HLLO.7808,
HORSE.1576, IMMORTAL_RIOT.EXTASY, IMMORTAL_RIOT.RAVAGE, INTERNAL.A,
INVISIBLE.2926, INVOLUNTARY.A, JAPANESE_XMAS.600.A, JERUSALEM.1244,
JERUSALEM.1808.BLANK.A, JERUSALEM.1808.CRITICAL, JERUSALEM.1808.CT.A,
JERUSALEM.1808.NULL.A, JERUSALEM.1808.STANDARD, JERUSALEM.ANTICAD.4096.A,
JERUSALEM.ANTICAD.4096.DANUBE, JERUSALEM.ANTICAD.4096.MOZART,
JERUSALEM.BARCELONA, JERUSALEM.CARFIELD, JERUSALEM.FUMANCHU.A,
JERUSALEM.MOCTEZUMA, JERUSALEM.MUMMY.2_1.A, JERUSALEM.PCVRSDS,
JERUSALEM.SUNDAY.A, JERUSALEM.SUNDAY.II, JERUSALEM.ZEROTIME.AUSTRAL.A,
JIHUU.621, JIHUU.686, JSB, JUNKIE.A, KAMPANA.3700, KAOS4.A, KEYPRESS.1232.A,
KEYPRESS.1744, KHOBAR, KLEPAVKA, KMIT, LAME, LAPSE.366, LEMMING.2144,
LIBERTY.2857.A, LIBERTY.2867, LITTLE_BROTHER.307, LOUNY.794, LUCA, LYCEUM.1788,
MACGYVER.2803.A, MACGYVER.2803.B, MAGNITOGORSK.2048.A, MALTESE_AMOEBA,
MANGE_TOUT.1099, MIRROROPPER, MR_VIRUS, MTE_0_90.COFFEE_SHOP, MTE_0_90.POGUE,
MURPHY.SMACK.B, MYSTIC, NECROPOL.A, NECROS, NICE.B, NOFRILLS.DUDLEY,
NOFRILLS.NOFRILLS, NOMENKLATURA.A, NOSTARDA.2247, NOVEMBER_17TH.768.A,
NOVEMBER_17TH.768.C, NOVEMBER_17TH.800.A, NOVEMBER_17TH.855.A, NPOX.0963.A,
NUMBER_1.FIIS, OLD_YANKEE.1.A, OLD_YANKEE.2, OMEGA, ONE_HALF.3544,
ONTARIO.1024, PINWORM, POWERPUMP.1, PREDATOR.2448, PUX.965, QUIT.A, QUIT.B,
RAPTOR.A, RAPTOR.B, RAPTOR.C, RAPTOR.D, RED_BOOK, RELZFU, REST.1588, RIIHI,
SATAN_BUG.A, SATAN_BUG.NATAS.4744, SCHOOL_SUCKER, SCREAMING_FIST.II.696,
SCREAMING_FIST.NU-WAY.927, SHINE.620, SIBYLLE, SILLYRC.302, SINGAPORE.521,
SLEEP_WALKER, SPANZ, STARDOT.600, STARDOT.789.A, STARDOT.801, STARSHIP,
STINKFOOT.1, STUPID.583.A, SUOMI, SVC.1689.A, SVC.2936, SVC.3103.A, SVC.3103.C,
SWISS_PHOENIX, SYBILLE.1200, SYSLOCK.SYSLOCK.A, TAI-PAN.438, TAI-PAN.666,
TEQUILA, TERMINATOR.3291, THREE_TUNES.A, TRAKIA.665, TREMOR.A, TRIVIAL.45.E,
TROI.A, TROI_II.A, TROJECTOR.1463, TROJECTOR.1561, V2PX.V2P6.Z, VACSINA.PENZA,
VACSINA.TP-05.A, VACSINA.TP-16.STANDARD, VCL.CODEZERO.652, VIC.793,
VIENNA.648.REBOOT.A, VIENNA.BETABOYS, VIENNA.VIOLATOR.1055, VIENNA.W13.507.A,
VIENNA.W13.507.B, VIENNA.W13.534.A, VLAMIX, VORONEZH.1600.A, VS_II.1919,
YAM.MATH.B, YANKEE.TP-39, YANKEE.TP-44.A, YANKEE.TP-44.WOBBLE.B,
YANKEE.XPEH.4928, YEKE.1076, YEKE.1204, ZED, ZERO_BUG.A, _1317, _439, _825
------------------------------------------------------------------------------
Then I realized that it is possible to give misleadiing information about
viruses found on the field. Thus producers were requested to view the
'in the wild' test set again and the following comments were received:
MESSAGE FROM MIKKO HYPPONEN (Data Fellows, F-PROT Professional)
Mikko Hypponen stated that at least Zed, V2P6, Starship, School,
Number_1.fiis and Ekoterror were not in the wild although there were
single incidents of these viruses a long time ago.
ZED and School viruses were stated as being in the wild previously by
Data Fellows. It is unfortune that I had received misleading information
previously and I truly hope this kind of situations can be avoided in the
future.
------------------------------------------------------------------------------
MESSAGE FROM DMITRY GRYAZNOV (S&S International):
Having looked at the viruses in your "in the wild" test set, I did find
some I don't believe to be in the wild. Viruses like SillyC, SillyRC,
Voronezh, W13, Vacsina, most of Vienna's are not really in the wild. A
single or two-three reports should not count, especially if they refer
to a particular geographical location. You could have used a really
comprehensive list of viruses in the wild as compiled by Joe Wells.
His list is based on reports from dozens of AV people all over the world.
------------------------------------------------------------------------------
MESSAGE FROM JIMMY KUO (McAfee Association)
I have attached the names of the viruses that I am unfamiliar with as
being "in the wild". I cross-referenced some as being only reported
as "in the wild" by one person, among them, people you had disclosed
to me as having contributed them to you.
Yes, relying on one person to say "this is in the wild" is not a good
thing to do in an objective test. It is for this reason that Joe
Wells' wildlist is separated into two parts. One where AV specialists
have confirmed each other. And one where they have not.
This reasoning is to combat the scenario where it is unknown whether
the person submitting the information to the AV Researcher might 1) be
lying about the origin of the infection or 2) been the first and only
infection.
I would suggest that you rely on something like Joe's In The Wild list
as your basis for "In the Wild" tests. If you wish to amend that list
by including things for which you have personal information, be my
guest, but that will only draw fire.
For similar reasons, NCSA and VB have started to base more and more of
their tests on Joe's list.
------------------------------------------------------------------------------
After viewing the messages the following message was sent to producers.
There was a complete cross-reference attached with the message so that
receivers
had chance to verify correct variants of the viruses.
Dear Receiver
The following viruses were suggested as NOT being in the wild.
If you have opposite evidence, please let me know.
Please reply before weekend or at least please let me know
if you are intending to reply after this limit.
Suggested by Jimmy Kuo, McAfee Association (McAfee Scan):
A&A, AMBULANC.A, ANTHRAX, BETRWRLD.A, BUDO.A, BUDO.B, CANTANDO, CATHOLIC.1129,
CINDERELLA.C, CINDERELLA.II, CREW.1967, CREW.2480.A, CYBERCID.1307,
CZECH_HAPPY,
DBF.990, EKOTERROR, ERROR.1231, HLLC.CUMULUS, HLLC.SAUNA, JSB, KLEPAVKA, KMIT,
LAME, LAPSE.366, LOUNY.794, LUCA, MIRROROP, NICE.B, NOSTARDA.2247, OMEGA,
REST.1588, SCHOOL_SUCK, SHINE.620, SINGAPORE.521, SPANZ, VIC.793, ZED
Suggested by Mikko Hypponen, Data Fellows (F-PROT):
ZED, V2PX.V2P6.Z, STARSHIP, SCHOOL_SUCK, NUMBER_1.FIIS, EKOTERROR
Suggested by Dmitry Gryaznov, S&S International (Dr.Solomon's Antivirus
Toolkit):
VORONEZH.1600.A, VIENNA.W13.507.A, VIENNA.W13.507.B VIENNA.W13.534.A
VACSINA.PENZA, V2PX.V2P6.Z, VIENNA.BETABOYS, VIENNA.VIOLATOR.1055,
VIENNA.W13.507.A, VIENNA.W13.507.B, VIENNA.W13.534.A
------------------------------------------------------------------------------
After this Pavel Baudis stated the following viruses as being in the wild:
Czech-Happy 6 cases
Yog-Sothoth-794-A 2 cases
Yog-Sothoth-794-B 3 cases
Singapore-521 14 cases
Klepavka 1 case but very large site
There were also two independent observations of the following viruses
and thus these were not excluded from the test set.
VORONEZH 1600.A: [Joe Well's list], [Marko Helenius]
ERROR.1231: [Mikko Hypponen], [Kim Metso]
All other viruses were excluded from the test bed and the final test set was
established. The final test set is presented in the file WILD.TAB. There
were also other messages concerning viruses found in the field. These did not
however directly concern the test set itself, but the discussion showed
some important aspects of constructing the 'in the wild' test set.
The main point of the discussion was that there should be at least two
independent observations of each virus and single incedents should not
be included.