Didier Stevens

EICARgen

There’s a very simple anti-virus testing tool I’ve programmed years ago, and I just realize I’ve never
published it. So here goes.

EICARgen is just a program that creates the EICAR Anti-Virus test file.

The EICAR Anti-Virus test file is 68 bytes long, and it will cause all Anti-Virus software to trigger a virus alert. Of course, this EICAR file is not a virus, it’s just an industry-standard test file. The EICAR file is only detected by Anti-Virus software that supports the EICAR file, but I’m not aware of any that doesn’t.

The EICAR Anti-Virus test file is great to test your Anti-Virus software, but it’s not easy to handle, because your Anti-Virus software keeps deleting it ;-)
Being a developer, I came up with my own solution to this problem: I wrote a program that would just create the EICAR Anti-Virus test file when I need it.
My program itself is not detected by Anti-Virus software, because

  1. Anti-Virus software that fully complies with EICAR does only trigger an alert for a 68 bytes long EICAR Anti-Virus test file, not for larger files containing the 68 bytes EICAR sequence
  2. my program does not contain an exact copy of the EICAR sequence

EICARgen is a Windows console application. Start it without arguments, and it will create eicar.com in the working directory and then exit.
Start it with a filename as argument, and it will create the EICAR test file with the name you specified.

eicargen.PNG

Compiled with Borland’s free C++ 5.5 compiler.

Download:

EICARgen_V1_1.zip (https)

MD5: EACBE699FFB0B9B56B6F2BCDBA810D6E

14 Comments »

  1. [...] PDF, Quickpost — Didier Stevens @ 8:54 I like to embed the EICAR Anti-Virus test file in usual formats and less usual formats. Today, I’m publishing a PDF document with an embedded EICAR test file [...]

    Pingback by Quickpost: eicar.pdf « Didier Stevens — Tuesday 20 May 2008 @ 8:54

  2. Can you obfuscate the virus code in the software i.e. split the line into say 5 pieces in wrong order and only assemble on program execution. Avast says your eicargen file is a virus.

    Comment by Andrew — Wednesday 17 September 2008 @ 19:29

  3. Avast says: Win32:Trojan-gen {Other}

    That’s strange…

    Comment by Didier Stevens — Friday 19 September 2008 @ 12:59

  4. I filed a bug report with AVAST and they have updated their virus sig so it won’t be detected as a virus. I used virustotal.com to check and it says it is not a virus anymore. See http://www.virustotal.com/analisis/79564320564a016f159f9adb8ea55847 for the report.

    Comment by Andrew — Thursday 25 September 2008 @ 9:46

  5. Great!

    Comment by Didier Stevens — Thursday 25 September 2008 @ 13:11

  6. Probably AVAST recognized your program as a virus generator and classified it as malware.
    Now wait until Google ranks this very URL with the alert “This site may damage your computer”. :)

    Comment by D0R — Thursday 6 November 2008 @ 13:58

  7. Microsoft Security Essentials found the “Trojan:Win32/Meredrop” in EICARgen.exe when extacting the zip-file.
    Even before I could test the EICAR Anti-Virus test file, at least MSE is doing it’s job.

    Comment by Jan — Thursday 22 October 2009 @ 13:25

  8. Interesting, thanks for the heads-up.

    Comment by Didier Stevens — Thursday 22 October 2009 @ 15:39

  9. [...] Filed under: My Software, Quickpost — Didier Stevens @ 14:58 I never expected to release a new version of EICARgen, but I’m forced to: EICARgen.exe generates just too many false [...]

    Pingback by Quickpost: New EICARgen Version « Didier Stevens — Friday 4 December 2009 @ 14:59

  10. dang, Rising AV didn’t say a thing……..
    hmmmmm has always been exceptional at finding stuff

    Comment by Jack — Wednesday 19 May 2010 @ 15:04

  11. I created a similar program in C, but AVG always caught it. First I thought that AVG is detecting the EICAR code string inside the EXE. So I used simple ROT13 and later XOR encryption to hide the string. But AVG always detects it! Actually AVG checks behavior of the program and finds out that it is dropping EICAR test virus and flags it as Eicar.dropper. No use!

    Maybe if you can make some regular Windows program put the code in the target EICAR virus file in steps, then you can survive. BTW, EICARGen is caught both by AVG and avast!.

    Comment by Romeo29 — Wednesday 3 November 2010 @ 14:27

  12. This isn’t quite as elegant as yours, but it isn’t (yet. at least) detected as a virus. It’s AutoHotKey, so it can be compiled to an exe that’ll run on any Windows version.

    Just one line:

    FileAppend, X5O!P`%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-
    ANTIVIRUS-TEST-FILE!$H+H*, eicar.com

    Isn’t AHK nice? :)

    Comment by steve54 — Friday 13 May 2011 @ 0:58

  13. Is it correct that the archive does not contain an executable anymore?

    Comment by Anonymous — Friday 26 August 2011 @ 9:32

  14. @Anonymous Fixed it!

    Comment by Didier Stevens — Wednesday 31 August 2011 @ 19:21


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 225 other followers

%d bloggers like this: