This subreport presents how the 'In the Wild' test set was constructed. Our previous analysis was used as a basis for the test set [Helenius 1994]. The old test set included the following viruses, which were found in the field according to antivirus researchers. FILE VIRUSES: 10_PAST_3.748, 5LO, A&A, AMBULANCE.A, AMOEBA, ANTHRAX, ARARA, ARUSIEK, BARROTES.1310.A, BEAST.A, BETTER_WORLD.D.A, BOOTEXE.451, BUDO.A, BUDO.B BUTTERFLY.BUTTERFLY, CASCADE.1701.A, CASCADE.1704.A, CFSK, CHANGSHA.A, CHAOS.B, CINDERELLA.A, CINDERELLA.B, CINDERELLA.C, CINDERELLA.II, COSSIGA.1361.A, CPW.1527, CREW.1.A, CREW.1.B, CREW.1.C, CREW.2, DARK_AVENGER.1800.A, DARK_AVENGER.2100.SI.A, DARK_AVENGER.FATHER, DARTH.3.A, DATALOCK.0828, DATALOCK.0920.A, DBF.990, DEMOLITION, DESPERADO.A, DIAMOND.DIAMOND.1024.B, DIR-II.A, DOS_HUNTER, DSME.TEACHER, EDDIE2.A, EKOTERROR, EMMIE.3097, FICHV.2_1, FINNISH.357, FINNISH.709.A, FLIP.2153.A, FLIP.2343, FREDDY.2_1, FREELOVE, FRODO.FRODO.A, GINGER, GREEN_CATERPILLAR.1575.A, GREEN_CATERPILLAR.1575.B, GROWER, HELLOWEEN.1376.A, HITCHCOCK.1238, HI.460, HLLC.HALLEY, HLLC.SAUNA, HLL.PASCAL.7808, HLL_C.EVENBEEP.LZ, HORSE.1576, IMMORTAL_RIOT.EXTASY, IMMORTAL_RIOT.RAVAGE, INTERNAL.A, INVISIBEL.2926, INVOLUNTARY.A, JAPANESE_XMAS.600.MERRY, JERUSALEM.1244, JERUSALEM.1808.BLANK.A, JERUSALEM.1808.CT.A, JERUSALEM.1808.NULL.A, JERUSALEM.1808.STANDARD, JERUSALEM.ANTICAD.4096.A, JERUSALEM.ANTICAD.4096.DANUBE, JERUSALEM.ANTICAD.4096.MOZART, JERUSALEM.BARCELONA, JERUSALEM.CARFIELD, JERUSALEM.FU_MANCHU.A, JERUSALEM.MOCTEZUMA, JERUSALEM.MUMMY.1_2, JERUSALEM.PCVRSDS, JERUSALEM.SUNDAY.A, JERUSALEM.SUNDAY.II, JERUSALEM.ZEROTIME.AUSTRALIAN.A, JIHUU.621, JIHUU.686, JSB, JUNKIE, KAMPANA.3700, KEYPRESS.1232.A, KEYPRESS.1744, LAME, LAPSE.366, LIBERTY.A, LIBERTY.B, LITTLE_BROTHER.307, LYCEUM.1788, MACGYVER.2083.B, MAGNITOGORSK.2048.A, MALTESE_AMBOEBA, MIRROROPPER, MR_VIRUS, MTE_0_90.COFFEE_SHOP, MTE_0_90.POGUE, MURPHY.SMACK.1841, MYSTIC, NATAS.A, NECROPOL.A, NECROS, NICE.B, NOFRILLS.DUDLEY, NOFRILLS.NOFRILLS, NOMENKLATURA.A, NOVEMBER_17TH.768.A, NOVEMBER_17TH.800, NOVEMBER_17TH.855.A, NPOX.0963.A, NUMBER_1.FIIS, OLD_YANKEE.1, OLD_YANKEE.2, OMEGA, ONTARIO.1024, POWER_PUMP.1, PREDATOR.2448, QUIT.A, QUIT.B, RELZFU, REST.1588, RIIHI, SATANBUG.A, SCREAMING_FIST.696, SCREAMING_FIST.927, SILLYRC.302, SLEEP_WALKER, SPANZ, STARDOT.789.A, STARDOT.801, STARSHIP, STNKFOOT.1, STUPID.1, SUOMI, SVC.1689.A, SVC.2936, SVC.3103.A, SVC.3103.D, SWISS_PHOENIX, SYSLOCK.SYSLOCK.A, TEQUILA, TREMOR, TRIVIAL.45.E, TROI.A, TROI_II, TROJECTOR.1463, TROJECTOR.1561, TV.1919, V-1784, V2PX.V2P6.Z, VACSINA.PENZA, VACSINA.TP-5.A, VCL.CODE_ZERO, VIENNA.0648.REBOOT, VIENNA.BETABOYS, VIENNA.VIOLATOR.1055, VIENNA.W13.507.A, VIENNA.W13.507.B, VIENNA.W13.534.A, VMEM, VORONEZH.1600, WHALE, XPEH4.4928, YAM.MATH.B, YANKEE.TP-39, YANKEE.TP-44.A, YANKEE.TP-44.WOBBLE.B, YEKE.1076, ZERO_BUG.A, _825 BOOT SECTOR VIRUSES: AIRCOP, ANTICMOS.A, ANTIEXE, BOOT-437, BOOTEXE.451, BRAIN.STANDARD, DEN_ZUKO.1.A, DISK_KILLER, EXE_BUG.A, EXE_BUG.C, FILLER.B, FLAME, FORM.A, FORM.D, FINNISH_SPRAYER, GALICIA, JERUSALM.ANTICAD.4096.MOZART, JOSHI.A, JOSHI.B, JUMPER, KAMPANA.C, LZR, MISIS, MUSIC_BUG, NJH-LBC.A, PING-PONG.B, PING-PONG.STANDARD.A, PRSCRBOO.A, PARITY_BOOT.A, PARITY_BOOT.B, QUOX, RIPPER, STEALTH.B, STONED.16.A, STONED.AZUSA, STONED.BUNNY.A, STONED.DINAMO, STONED.EMPIRE.IN_LOVE.A, STONED.EMPIRE.MONKEY.A, STONED.EMPIRE.MONKEY.B, STONED.JUNE_4TH.A, STONED.MANITOBA, STONED.MICHELANGELO.A, STONED.NO_INT.A, STONED.NOP, STONED.STANDARD.B, STONED.SWEDISH_DISASTER.STANDARD, STONED.V, SWISS_BOOT, V-SIGN, W-BOOT ------------------------------------------------------------------------------ The old test set was sent for commenting to antivirus researchers. The test base included a cross-reference so that receivers could verify correct variants of the viruses. The following comments were received: MESSAGE FROM MIKKO HYPPONEN (Data Fellows, F-PROT Professional) Mikko Hypponen stated that since last summer they had found the following viruses in the field. He also sent samples of these viruses. Junkie.A,Freddy_Soft,AntiCMOS.A,B1,Kaos4.A,Tai- pan.438,Lao_Doung,PHX.965,Goldbug, Trojector.1561, Fairz, Error_Vir, VLamiX, Swiss_Boot, Catholic, Bait, School_Suck, Stoned.Dinamo, Michelangelo.L, AntiCMOS.B, Stoned.Angelina,Tai-Pan.666 Zed, Backform.a, Natas.4744, Sampo, Mange-Tout.1099, Chinese_Fish, Cantando, BootEXE.452, Lyceum.930, HLLC.Cumulus, Diskwasher, November_17th.768.C, Form.C, Hemlock, Leandro, Misis, MacGyver.2803.B, ------------------------------------------------------------------------------ MESSAGE FROM EUGENE KASPERSKY: (Kami GROUP, AVP) Second, I've received yout letter about wild viruses. I do not collect such info (sorry, no time). But there are the viruses very wild in Russia: Phantom1, both versions DieHard2 OneHalf, (both?) 2UP Nostardamus 3APA3A ('a' and 'b' strains) CrazyBoot ------------------------------------------------------------------------------ Eugene also sent samples of Nostardamus, 2UP and Diehard2 viruses. ------------------------------------------------------------------------------ MESSAGE FROM JAKUB KAMINSKI (Cybec Pty. Ltd., VET) Thanks for a copy of your proposed "in the wild" virus list. After checking it I'd like to make a few comments: - in Boot Sector Viruses section I would add some that have been around for a while like: Junkie, YMP, J&M, CrazyBoot, Mongolian, DiskWasher and some relatively new: Sampo, BUPT9146, Shin, OneHalf and DaBoys - in File Viruses section I would add some of the newest and widely spread: Doom.II.Death, Tai-Pan, KAOS4, Chill, Trakia, Vtech 4.0, Lemming, DieHard, Vlamix On the other hand, we haven't seen in the wild any of the high level language (HLL*) viruses apart from EvenBeeper.A Please, contact me if you have any questions. ------------------------------------------------------------------------------ MESSAGE FROM LUCA SAMBUCCI (I.C.A.R.O.): Here the latest version of the internal "Wild-List" of the ICARO: Italy: Arianna.3375 B1 (common) Benito BUPT.1261 (New variant, I believe) CFSK Cascade.1701.A (common) Cascade.1701.Jojo.D Dark_Avenger.1800.A Datalock.920.A Demolition Dirty Flip.2153.A Flip.2343 Form.A Green_Caterpillar.1575.A Invisible.2926 Jerusalem.1244 Jerusalem.1808.Standard Jerusalem.1808.Umsdos Junkie (common) Mr_Virus November_17th.768.A November_17th.800.A November_17th.855.A (common) One_Half.3544 Ping_Pong.Standard.A Polifemo Ripper RPS2 Stardot.600 Stardot.789.A Stoned.Standard.A Stoned.Standard.OW.A Stoned.Standard.OW.B Stoned.Standard.OW.C Tequila Thule V-Sign (common) Yankee_Doodle.TP-41 Yankee_Doodle.TP-44 Yankee_Doodle.Wobble.B Yeke.1204 (common) Switzerland: Form.A B1 I don't remember every single case. The Switzerland's reports were from cases where students of my university were involved (notice: the university was *not* infected, only the private computers of these students). ------------------------------------------------------------------------------ MESSAGE FROM PETER HUBINSKY: Peter Hubinsky stated these viruses as being absolutely wild in Slovak and Czech. He also sent samples of these viruses. One_Half.3544 (and rarely also One_Half.3577) Explosion J&M (aka Jimi, Hasita) Helloween.1384 and also Helloween.1684 (aka Volkov) ------------------------------------------------------------------------------ MESSAGE FROM DMITRY GRYAZNOV (S&S International): Dmitry Gryaznov sent their own list of viruses found on the wild at March based on their technical support calls. Virus name #of incidents AntiCmos 3 Angelina 1 AntiExe/D3 13 Barrotes 1 Cascade 1 Crazyboot 1 Empire Monkey 17 EvenBeep 3 Exebug 3 Floss 1 =W-BOOT Form 15 Jerusalem 2 Jumper 1 Junki 1 Maltese Amoeba 1 Mange Tout 1 Michelangelo 9 NYB 2 Natas 1 Nops 2 Parity Boot 10 Sampo 3 Scream 1 She Has 2 SillyBop 1 StoneHenge 2 Telefonica 4 V-Sign 3 Vacsina 1 WBoot 1 ------------------------------------------------------------------------------ After receiving the messages Joe Well's list [Joe Wells] and received comments were viewed and results were combined. The test bed included the following viruses: 10_PAST_3.748, 5LO, A&A, AMBULANCE.A, AMOEBA.1392, ANTHRAX, ARARA.1038, ARUSIEK, AVISPA.D, BACKFORM.1865.A, BAIT.425, BARROTES.1310.A, BEAST.A, BEAST.E, BETTER_WORLD.A, BOOTEXE.451, BOOTEXE.452, BUDO.A, BUDO.B, BUPT.1261, BUTTERFLY.BUTTERFLY, CANTANDO, CASCADE.1701.A, CASCADE.1701.G, CASCADE.1704.A, CASCADE.1704.D, CATHOLIC.1129, CFSK, CHANGSHA.A, CHAOS.1181.B, CHILL.544, CINDERELLA.A, CINDERELLA.B, CINDERELLA.C, CINDERELLA.II, COSSIGA.1361.A, CPW.1527, CREW.1967, CREW.2480.A, CREW.2480.B, CREW.2480.C, CYBERCIDE.1307, CZECH_HAPPY, DARK_AVENGER.1800.A, DARK_AVENGER.2100.SI.A, DARK_AVENGER.FATHER, DARTH_VADER.255.B, DATALOCK.0828, DATALOCK.0920.A, DBF.990, DEMOLITION, DESPERADO.A, DIAMOND.DIAMOND.1024.B, DIE_HARD, DIR_II.A, DOSHUNTER, DSME.TEACHER, EDDIE-2.A, EKOTERROR, EMMIE.3097, ERROR.1231, EXPOLSION.I, FICHV.903, FINNISH.357, FINNISH.709.A, FKREUGER, FLIP.2153.A, FLIP.2343, FREDDY_SOFT, FRODO.FRODO.A, GINGER, GOLD_BUG.A, GREEN_CATERPILLAR.1575.A, GREEN_CATERPILLAR.1575.B, GROWER, HELLOWEEN.1376.A, HELLOWEEN.1384, HELLOWEEN.1684, HIDENOWT, HITCHCOCK.1238, HI.460, HLLC.CUMULUS, HLLC.EVENBEEPER.B, HLLC.EVENBEEPER.LZ, HLLC.HALLEY, HLLC.SAUNA, HLLO.7808, HORSE.1576, IMMORTAL_RIOT.EXTASY, IMMORTAL_RIOT.RAVAGE, INTERNAL.A, INVISIBLE.2926, INVOLUNTARY.A, JAPANESE_XMAS.600.A, JERUSALEM.1244, JERUSALEM.1808.BLANK.A, JERUSALEM.1808.CRITICAL, JERUSALEM.1808.CT.A, JERUSALEM.1808.NULL.A, JERUSALEM.1808.STANDARD, JERUSALEM.ANTICAD.4096.A, JERUSALEM.ANTICAD.4096.DANUBE, JERUSALEM.ANTICAD.4096.MOZART, JERUSALEM.BARCELONA, JERUSALEM.CARFIELD, JERUSALEM.FUMANCHU.A, JERUSALEM.MOCTEZUMA, JERUSALEM.MUMMY.2_1.A, JERUSALEM.PCVRSDS, JERUSALEM.SUNDAY.A, JERUSALEM.SUNDAY.II, JERUSALEM.ZEROTIME.AUSTRAL.A, JIHUU.621, JIHUU.686, JSB, JUNKIE.A, KAMPANA.3700, KAOS4.A, KEYPRESS.1232.A, KEYPRESS.1744, KHOBAR, KLEPAVKA, KMIT, LAME, LAPSE.366, LEMMING.2144, LIBERTY.2857.A, LIBERTY.2867, LITTLE_BROTHER.307, LOUNY.794, LUCA, LYCEUM.1788, MACGYVER.2803.A, MACGYVER.2803.B, MAGNITOGORSK.2048.A, MALTESE_AMOEBA, MANGE_TOUT.1099, MIRROROPPER, MR_VIRUS, MTE_0_90.COFFEE_SHOP, MTE_0_90.POGUE, MURPHY.SMACK.B, MYSTIC, NECROPOL.A, NECROS, NICE.B, NOFRILLS.DUDLEY, NOFRILLS.NOFRILLS, NOMENKLATURA.A, NOSTARDA.2247, NOVEMBER_17TH.768.A, NOVEMBER_17TH.768.C, NOVEMBER_17TH.800.A, NOVEMBER_17TH.855.A, NPOX.0963.A, NUMBER_1.FIIS, OLD_YANKEE.1.A, OLD_YANKEE.2, OMEGA, ONE_HALF.3544, ONTARIO.1024, PINWORM, POWERPUMP.1, PREDATOR.2448, PUX.965, QUIT.A, QUIT.B, RAPTOR.A, RAPTOR.B, RAPTOR.C, RAPTOR.D, RED_BOOK, RELZFU, REST.1588, RIIHI, SATAN_BUG.A, SATAN_BUG.NATAS.4744, SCHOOL_SUCKER, SCREAMING_FIST.II.696, SCREAMING_FIST.NU-WAY.927, SHINE.620, SIBYLLE, SILLYRC.302, SINGAPORE.521, SLEEP_WALKER, SPANZ, STARDOT.600, STARDOT.789.A, STARDOT.801, STARSHIP, STINKFOOT.1, STUPID.583.A, SUOMI, SVC.1689.A, SVC.2936, SVC.3103.A, SVC.3103.C, SWISS_PHOENIX, SYBILLE.1200, SYSLOCK.SYSLOCK.A, TAI-PAN.438, TAI-PAN.666, TEQUILA, TERMINATOR.3291, THREE_TUNES.A, TRAKIA.665, TREMOR.A, TRIVIAL.45.E, TROI.A, TROI_II.A, TROJECTOR.1463, TROJECTOR.1561, V2PX.V2P6.Z, VACSINA.PENZA, VACSINA.TP-05.A, VACSINA.TP-16.STANDARD, VCL.CODEZERO.652, VIC.793, VIENNA.648.REBOOT.A, VIENNA.BETABOYS, VIENNA.VIOLATOR.1055, VIENNA.W13.507.A, VIENNA.W13.507.B, VIENNA.W13.534.A, VLAMIX, VORONEZH.1600.A, VS_II.1919, YAM.MATH.B, YANKEE.TP-39, YANKEE.TP-44.A, YANKEE.TP-44.WOBBLE.B, YANKEE.XPEH.4928, YEKE.1076, YEKE.1204, ZED, ZERO_BUG.A, _1317, _439, _825 ------------------------------------------------------------------------------ Then I realized that it is possible to give misleadiing information about viruses found on the field. Thus producers were requested to view the 'in the wild' test set again and the following comments were received: MESSAGE FROM MIKKO HYPPONEN (Data Fellows, F-PROT Professional) Mikko Hypponen stated that at least Zed, V2P6, Starship, School, Number_1.fiis and Ekoterror were not in the wild although there were single incidents of these viruses a long time ago. ZED and School viruses were stated as being in the wild previously by Data Fellows. It is unfortune that I had received misleading information previously and I truly hope this kind of situations can be avoided in the future. ------------------------------------------------------------------------------ MESSAGE FROM DMITRY GRYAZNOV (S&S International): Having looked at the viruses in your "in the wild" test set, I did find some I don't believe to be in the wild. Viruses like SillyC, SillyRC, Voronezh, W13, Vacsina, most of Vienna's are not really in the wild. A single or two-three reports should not count, especially if they refer to a particular geographical location. You could have used a really comprehensive list of viruses in the wild as compiled by Joe Wells. His list is based on reports from dozens of AV people all over the world. ------------------------------------------------------------------------------ MESSAGE FROM JIMMY KUO (McAfee Association) I have attached the names of the viruses that I am unfamiliar with as being "in the wild". I cross-referenced some as being only reported as "in the wild" by one person, among them, people you had disclosed to me as having contributed them to you. Yes, relying on one person to say "this is in the wild" is not a good thing to do in an objective test. It is for this reason that Joe Wells' wildlist is separated into two parts. One where AV specialists have confirmed each other. And one where they have not. This reasoning is to combat the scenario where it is unknown whether the person submitting the information to the AV Researcher might 1) be lying about the origin of the infection or 2) been the first and only infection. I would suggest that you rely on something like Joe's In The Wild list as your basis for "In the Wild" tests. If you wish to amend that list by including things for which you have personal information, be my guest, but that will only draw fire. For similar reasons, NCSA and VB have started to base more and more of their tests on Joe's list. ------------------------------------------------------------------------------ After viewing the messages the following message was sent to producers. There was a complete cross-reference attached with the message so that receivers had chance to verify correct variants of the viruses. Dear Receiver The following viruses were suggested as NOT being in the wild. If you have opposite evidence, please let me know. Please reply before weekend or at least please let me know if you are intending to reply after this limit. Suggested by Jimmy Kuo, McAfee Association (McAfee Scan): A&A, AMBULANC.A, ANTHRAX, BETRWRLD.A, BUDO.A, BUDO.B, CANTANDO, CATHOLIC.1129, CINDERELLA.C, CINDERELLA.II, CREW.1967, CREW.2480.A, CYBERCID.1307, CZECH_HAPPY, DBF.990, EKOTERROR, ERROR.1231, HLLC.CUMULUS, HLLC.SAUNA, JSB, KLEPAVKA, KMIT, LAME, LAPSE.366, LOUNY.794, LUCA, MIRROROP, NICE.B, NOSTARDA.2247, OMEGA, REST.1588, SCHOOL_SUCK, SHINE.620, SINGAPORE.521, SPANZ, VIC.793, ZED Suggested by Mikko Hypponen, Data Fellows (F-PROT): ZED, V2PX.V2P6.Z, STARSHIP, SCHOOL_SUCK, NUMBER_1.FIIS, EKOTERROR Suggested by Dmitry Gryaznov, S&S International (Dr.Solomon's Antivirus Toolkit): VORONEZH.1600.A, VIENNA.W13.507.A, VIENNA.W13.507.B VIENNA.W13.534.A VACSINA.PENZA, V2PX.V2P6.Z, VIENNA.BETABOYS, VIENNA.VIOLATOR.1055, VIENNA.W13.507.A, VIENNA.W13.507.B, VIENNA.W13.534.A ------------------------------------------------------------------------------ After this Pavel Baudis stated the following viruses as being in the wild: Czech-Happy 6 cases Yog-Sothoth-794-A 2 cases Yog-Sothoth-794-B 3 cases Singapore-521 14 cases Klepavka 1 case but very large site There were also two independent observations of the following viruses and thus these were not excluded from the test set. VORONEZH 1600.A: [Joe Well's list], [Marko Helenius] ERROR.1231: [Mikko Hypponen], [Kim Metso] All other viruses were excluded from the test bed and the final test set was established. The final test set is presented in the file WILD.TAB. There were also other messages concerning viruses found in the field. These did not however directly concern the test set itself, but the discussion showed some important aspects of constructing the 'in the wild' test set. The main point of the discussion was that there should be at least two independent observations of each virus and single incedents should not be included.