Didier Stevens

EICARgen

EICARgen is just a program that creates the EICAR Anti-Virus test file.

The EICAR Anti-Virus test file is 68 bytes long, and it will cause all Anti-Virus software to trigger a virus alert. Of course, this EICAR file is not a virus, it’s just an industry-standard test file. The EICAR file is only detected by Anti-Virus software that supports the EICAR file, but I’m not aware of any that doesn’t.

The EICAR Anti-Virus test file is great to test your Anti-Virus software, but it’s not easy to handle, because your Anti-Virus software keeps deleting it 😉
Being a toolsmith, I came up with my own solution to this problem: I wrote a program that would just create the EICAR Anti-Virus test file when I need it.

EICARgen is a Windows console application. Start it without arguments, and it does nothing.

Start it with argument “write”, and it will create eicar.com in the working directory and then exit.

Add a filename as argument, and it will create the EICAR test file with the name you specified.

Replace argument “write” with “zip” to write a zip file that contains the EICAR test file, “pdf” to write a pdf file that embeds the EICAR test file, and “xls” to write a xls file that embeds the EICAR test file.

Compiled with Borland’s free C++ 5.5 compiler.

Download:

EICARgen_V2_1.zip (https)
MD5: CE65A30355B059C4A099BEC6837DF19C
SHA256: 58CF69C21FF948B77055952E2F1681467DDB100FF5D90CA268B7A701167FCD3D

18 Comments »

  1. […] PDF, Quickpost — Didier Stevens @ 8:54 I like to embed the EICAR Anti-Virus test file in usual formats and less usual formats. Today, I’m publishing a PDF document with an embedded EICAR test file […]

    Pingback by Quickpost: eicar.pdf « Didier Stevens — Tuesday 20 May 2008 @ 8:54

  2. Can you obfuscate the virus code in the software i.e. split the line into say 5 pieces in wrong order and only assemble on program execution. Avast says your eicargen file is a virus.

    Comment by Andrew — Wednesday 17 September 2008 @ 19:29

  3. Avast says: Win32:Trojan-gen {Other}

    That’s strange…

    Comment by Didier Stevens — Friday 19 September 2008 @ 12:59

  4. I filed a bug report with AVAST and they have updated their virus sig so it won’t be detected as a virus. I used virustotal.com to check and it says it is not a virus anymore. See http://www.virustotal.com/analisis/79564320564a016f159f9adb8ea55847 for the report.

    Comment by Andrew — Thursday 25 September 2008 @ 9:46

  5. Great!

    Comment by Didier Stevens — Thursday 25 September 2008 @ 13:11

  6. Probably AVAST recognized your program as a virus generator and classified it as malware.
    Now wait until Google ranks this very URL with the alert “This site may damage your computer”. 🙂

    Comment by D0R — Thursday 6 November 2008 @ 13:58

  7. Microsoft Security Essentials found the “Trojan:Win32/Meredrop” in EICARgen.exe when extacting the zip-file.
    Even before I could test the EICAR Anti-Virus test file, at least MSE is doing it’s job.

    Comment by Jan — Thursday 22 October 2009 @ 13:25

  8. Interesting, thanks for the heads-up.

    Comment by Didier Stevens — Thursday 22 October 2009 @ 15:39

  9. […] Filed under: My Software, Quickpost — Didier Stevens @ 14:58 I never expected to release a new version of EICARgen, but I’m forced to: EICARgen.exe generates just too many false […]

    Pingback by Quickpost: New EICARgen Version « Didier Stevens — Friday 4 December 2009 @ 14:59

  10. dang, Rising AV didn’t say a thing……..
    hmmmmm has always been exceptional at finding stuff

    Comment by Jack — Wednesday 19 May 2010 @ 15:04

  11. I created a similar program in C, but AVG always caught it. First I thought that AVG is detecting the EICAR code string inside the EXE. So I used simple ROT13 and later XOR encryption to hide the string. But AVG always detects it! Actually AVG checks behavior of the program and finds out that it is dropping EICAR test virus and flags it as Eicar.dropper. No use!

    Maybe if you can make some regular Windows program put the code in the target EICAR virus file in steps, then you can survive. BTW, EICARGen is caught both by AVG and avast!.

    Comment by Romeo29 — Wednesday 3 November 2010 @ 14:27

  12. This isn’t quite as elegant as yours, but it isn’t (yet. at least) detected as a virus. It’s AutoHotKey, so it can be compiled to an exe that’ll run on any Windows version.

    Just one line:

    FileAppend, X5O!P`%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-
    ANTIVIRUS-TEST-FILE!$H+H*, eicar.com

    Isn’t AHK nice? 🙂

    Comment by steve54 — Friday 13 May 2011 @ 0:58

  13. Is it correct that the archive does not contain an executable anymore?

    Comment by Anonymous — Friday 26 August 2011 @ 9:32

  14. @Anonymous Fixed it!

    Comment by Didier Stevens — Wednesday 31 August 2011 @ 19:21

  15. […] 2.1 of EICARgen can create an Excel spreadsheet (.xls) with the EICAR test file embedded with […]

    Pingback by Update EICARgen Version 2.1 | Didier Stevens — Monday 16 February 2015 @ 0:01

  16. Thanks for the very useful tool.

    Comment by Rick WIlson — Tuesday 31 March 2015 @ 21:43

  17. […] the text and identify it as the EICAR test. Alternatively, you can download Didier Stevens’ EICARGen software, which generates files containing the EICAR text. Depending on your anti-malware software’s […]

    Pingback by Security roundup for June 2015 | boot13 — Wednesday 1 July 2015 @ 15:01

  18. […] I compile EICARgen on Kali Linux to a 32-bit, statically linked Linux […]

    Pingback by Quickpost: Compiling 32-bit Static ELF Files on Kali | Didier Stevens — Monday 19 November 2018 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.