Gone with the wild...
 
 

    Every day, I see more and more viruses which in their steps of exisstence depend on some data downloaded from the Internet. For example, several common viruses download trojans from the internet and install them in the system. Or, some viruses are simply unable to replicate wihtout certain files located in special places on the Internet.
    Let's take for example the infamous Davinia virus, which was reported ItW by Panda. This virus cannot replicate without a copy of itself beeing available at a the specific Internet location on the Spanish web site "terra.es".  If this virus would have been reported by two different WildList reporters then it would have got into the WildList. Moreover, even if the page is no longer available, and the virus would not work anymore, it would still stay in the WildList for at least 6 months, when if no subsequent reports are received it will be removed automatically. I don't think this would be correct from a user's point of view. If the virus doesn't work anymore,
then it can't be ItW, thus, it should not be included in the WildList.  Other case is the known virus JS/Unicle. This one downloads a couple of trojans from a specific internet location, and runs them. However, they are no longer available for download, as the respective page was removed, so the respective trojans have no chance to be found anymore on user's machines. From this point of view, the WildCore honestly provides only the JS/Unicle sample itself, without including the trojans ownloaded by the virus. (Hi Ian!)
    However, I believe that some AV testing institutions include the  respective trojans in their tests, tests which are supposedly based on the latest WildList. I personally don't find that fair - the specific trojans downloaded by JS/Unicle are something totally unrelated (now) to the virus itself, and should not be used while testing antivirus programs for detection of the latest WildList.  Therefore I think it would be totally unfair to punish a product for not detecting some malware which simply cannot technically be found ItW anymore, during a test which reports if the product is able to detect all the malware which is currently found ItW. Don't get me wrong - I don't say that things which are not anymore ItW should not be detected. They definitively should be detected, but a product should not be punished for not detecting them in a test which verifies the ability of a product to detect currently ItW malware...
 

Costin Raiu, <craiu@pcnet.ro>, February 2001