Didier Stevens

EICARgen

EICARgen is just a program that creates the EICAR Anti-Virus test file.

The EICAR Anti-Virus test file is 68 bytes long, and it will cause all Anti-Virus software to trigger a virus alert. Of course, this EICAR file is not a virus, it’s just an industry-standard test file. The EICAR file is only detected by Anti-Virus software that supports the EICAR file, but I’m not aware of any that doesn’t.

The EICAR Anti-Virus test file is great to test your Anti-Virus software, but it’s not easy to handle, because your Anti-Virus software keeps deleting it ;-)
Being a toolsmith, I came up with my own solution to this problem: I wrote a program that would just create the EICAR Anti-Virus test file when I need it.

EICARgen is a Windows console application. Start it without arguments, and it does nothing.

Start it with argument “write”, and it will create eicar.com in the working directory and then exit.

Add a filename as argument, and it will create the EICAR test file with the name you specified.

Replace argument “write” with “zip” to write a zip file that contains the EICAR test file, and “pdf” to write a pdf file that embeds the EICAR test file.

Compiled with Borland’s free C++ 5.5 compiler.

Download:

EICARgen_V2_0.zip (https)
MD5: D346A3725622F981DDA7221799EF08E8
SHA256: 2DF76319D8513B1AD70D327816D3C1028B261EF1E314243DCD0DEC14FF1FC7CE

14 Comments »

  1. […] PDF, Quickpost — Didier Stevens @ 8:54 I like to embed the EICAR Anti-Virus test file in usual formats and less usual formats. Today, I’m publishing a PDF document with an embedded EICAR test file […]

    Pingback by Quickpost: eicar.pdf « Didier Stevens — Tuesday 20 May 2008 @ 8:54

  2. Can you obfuscate the virus code in the software i.e. split the line into say 5 pieces in wrong order and only assemble on program execution. Avast says your eicargen file is a virus.

    Comment by Andrew — Wednesday 17 September 2008 @ 19:29

  3. Avast says: Win32:Trojan-gen {Other}

    That’s strange…

    Comment by Didier Stevens — Friday 19 September 2008 @ 12:59

  4. I filed a bug report with AVAST and they have updated their virus sig so it won’t be detected as a virus. I used virustotal.com to check and it says it is not a virus anymore. See http://www.virustotal.com/analisis/79564320564a016f159f9adb8ea55847 for the report.

    Comment by Andrew — Thursday 25 September 2008 @ 9:46

  5. Great!

    Comment by Didier Stevens — Thursday 25 September 2008 @ 13:11

  6. Probably AVAST recognized your program as a virus generator and classified it as malware.
    Now wait until Google ranks this very URL with the alert “This site may damage your computer”. :)

    Comment by D0R — Thursday 6 November 2008 @ 13:58

  7. Microsoft Security Essentials found the “Trojan:Win32/Meredrop” in EICARgen.exe when extacting the zip-file.
    Even before I could test the EICAR Anti-Virus test file, at least MSE is doing it’s job.

    Comment by Jan — Thursday 22 October 2009 @ 13:25

  8. Interesting, thanks for the heads-up.

    Comment by Didier Stevens — Thursday 22 October 2009 @ 15:39

  9. […] Filed under: My Software, Quickpost — Didier Stevens @ 14:58 I never expected to release a new version of EICARgen, but I’m forced to: EICARgen.exe generates just too many false […]

    Pingback by Quickpost: New EICARgen Version « Didier Stevens — Friday 4 December 2009 @ 14:59

  10. dang, Rising AV didn’t say a thing……..
    hmmmmm has always been exceptional at finding stuff

    Comment by Jack — Wednesday 19 May 2010 @ 15:04

  11. I created a similar program in C, but AVG always caught it. First I thought that AVG is detecting the EICAR code string inside the EXE. So I used simple ROT13 and later XOR encryption to hide the string. But AVG always detects it! Actually AVG checks behavior of the program and finds out that it is dropping EICAR test virus and flags it as Eicar.dropper. No use!

    Maybe if you can make some regular Windows program put the code in the target EICAR virus file in steps, then you can survive. BTW, EICARGen is caught both by AVG and avast!.

    Comment by Romeo29 — Wednesday 3 November 2010 @ 14:27

  12. This isn’t quite as elegant as yours, but it isn’t (yet. at least) detected as a virus. It’s AutoHotKey, so it can be compiled to an exe that’ll run on any Windows version.

    Just one line:

    FileAppend, X5O!P`%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-
    ANTIVIRUS-TEST-FILE!$H+H*, eicar.com

    Isn’t AHK nice? :)

    Comment by steve54 — Friday 13 May 2011 @ 0:58

  13. Is it correct that the archive does not contain an executable anymore?

    Comment by Anonymous — Friday 26 August 2011 @ 9:32

  14. @Anonymous Fixed it!

    Comment by Didier Stevens — Wednesday 31 August 2011 @ 19:21


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 239 other followers

%d bloggers like this: