I never expected to release a new version of EICARgen, but I’m forced to: EICARgen.exe generates just too many false positives.
The new version contains the EICAR string an XOR-encode string (key 0xFF). It has only a couple of detections. Kaspersky and VBA32 shouldn’t actually detect this. EICAR clearly specifies that the presence of the EICAR test string inside a file (like an executable) shouldn’t be detected. As to why AVG needs to detect EICAR test file droppers, I have no idea…
while it’s true that the specs for eicar say that any file that starts with the specified 68 characters should be detected, that doesn’t preclude them from detecting droppers.
it’s reasonable to assume that some anti-malware programs will detect not only known malware but also generically detect droppers of known malware, which would apply to this case.
maybe instead of a dropper you should try a downloader (perhaps that’s why downloaders rose to prominence).
Comment by kurt wismer — Friday 4 December 2009 @ 22:16
Good point, a generic dropper signature could explain what AVG does. And I could also use a downloader, thanks for the tip.
Comment by Didier Stevens — Saturday 5 December 2009 @ 9:40
my eicar source @ http://corkami.blogspot.com/2009/12/this-is-not-virus.html
Comment by Ange — Thursday 7 January 2010 @ 13:33