The EICAR test virus is a simple string that you can paste into notepad and save as test.exe...then if all is working properly your AntiVirus will popup and tell you it found a virus.
This is what it looks like:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
To be honest I hadn't really looked carefully at this file. I have been using it for years to verify that anti-virus was working properly.
Until today - I accidentally ran the test. I had my anti-virus turned off and I executed it from the command line. I thought it was just a random string of characters...but it is a functional program! It echoed back to me "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"
So I researched and discovered it was a carefully crafted assembly language program. It was designed to only have assembly language op-codes that could be represented by standard ASCII characters. If you are interested...here is the assembly code:
POP AX
XOR AX,214F
PUSH AX
AND AX,4140
PUSH AX
POP BX
XOR AL,5C
PUSH AX
POP DX
POP AX
XOR AX,2834
PUSH AX
POP SI
SUB [BX],SI
INC BX
INC BX
SUB [BX],SI
JGE 0140
45 49 43 41 52 2D 53 54 41 EICAR-STA
4E 44 41 52 44 2D 41 4E 54 NDARD-ANT
49 56 49 52 55 53 2D 54 45 IVIRUS-TE
53 54 2D 46 49 4C 45 21 24 ST-FILE!$
INT 21
INT 20
Now here is the fun (And totally useless ;) ) part. You can make the program say other stuff too...and once you do that it will no longer be detected by any anti-virus programs.
Lets try it.
Cut and paste this:
X5O!P%@AP[4\PZX54(P^)7CC)7}$--------====Hello World====--------$H+H*
Into notepad, and save it as test.exe somewhere on your hard drive. Now if you run it at the command line you get...
--------====Hello World====--------
The trick is...if you want to make your own you need to keep it the exact number of characters. *OR* recalculate the "JGE 0140" assembly code and convert it back into ASCII...I will leave this as an exercise for the reader :)
Posted By: Steve Wiseman on Tuesday, August 14, 2007
Check out our utilities for windows