Eicar Test File
The Eicar Test File is a plain text COM file that you can use to test the functionality of your anti-virus program. As opposed to testing the detection abilities of your AV with a real virus or malicious program, this particular file is harmless. The Eicar Test File simply prints “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!” to the console. This file can be run by Microsoft OSes and some similar ones (Except 64 bit machines because of 16 bit limitations. If you have a 64 bit computer, use DOSBox). Here’s the code for the file (save as .com):
What’s interesting about this file is that it uses nothing but plain text. So go ahead and paste this into the text editor and save it as a com file. Run it from command.com, cmd.exe, or even DOSBox if you have a 64 bit computer. It will print the obvious string and terminate.
The code behind this file when viewed through a disassembler is quite unique functionality of just printing a string:
Offset OpCode(s) Instruction 0100 58 POP AX 0101 35 4F 21 XOR AX,214F 0104 50 PUSH AX 0105 25 40 41 AND AX,4140 0108 50 PUSH AX 0109 5B POP BX 010A 34 5C XOR AL,5C 010C 50 PUSH AX 010D 5A POP DX 010E 58 POP AX 010F 35 34 28 XOR AX,2834 0112 50 PUSH AX 0113 5E POP SI 0114 29 37 SUB [BX],SI 0116 43 INC BX 0117 43 INC BX 0118 29 37 SUB [BX],SI 011A 7D 24 JGE 0140 011C 45 49 43 41 52 2D 53 54 41 4E 44 41 4E 54 49 56 49 52 55 53 2D 54 45 53 54 2D 46 49 4C 45 21 24 DB "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$" 0140 48 DEC AX 0141 2B 48 2A SUB CX,[BX+SI+2A]
Not anywhere in that code will you find an INT 21 or even a call. So how does this thing print the string? Just load it up in debug to find out. Use the following command in debug:
Then just keep entering ‘p’ to walk through each instruction in the program and you’ll see how it work. Basically it modifies it’s own memory at the last 4 bytes of the file to int 21 in order to execute the functions and it plays around with the stack and bitwise operations to get the addresses and function numbers in the registers.