Eicar Test File

The Eicar Test File is a plain text COM file that you can use to test the functionality of your anti-virus program. As opposed to testing the detection abilities of your AV with a real virus or malicious program, this particular file is harmless. The Eicar Test File simply prints “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!” to the console. This file can be run by Microsoft OSes and some similar ones (Except 64 bit machines because of 16 bit limitations. If you have a 64 bit computer, use DOSBox). Here’s the code for the file (save as .com):

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

What’s interesting about this file is that it uses nothing but plain text. So go ahead and paste this into the text editor and save it as a com file. Run it from command.com, cmd.exe, or even DOSBox if you have a 64 bit computer. It will print the obvious string and terminate.

The code behind this file when viewed through a disassembler is quite unique functionality of just printing a string:

Offset   OpCode(s)   Instruction

0100     58          POP AX
0101     35 4F 21    XOR AX,214F
0104     50          PUSH AX
0105     25 40 41    AND AX,4140
0108     50          PUSH AX
0109     5B          POP BX
010A     34 5C       XOR AL,5C
010C     50          PUSH AX
010D     5A          POP DX
010E     58          POP AX
010F     35 34 28    XOR AX,2834
0112     50          PUSH AX
0113     5E          POP SI
0114     29 37       SUB [BX],SI
0116     43          INC BX
0117     43          INC BX
0118     29 37       SUB [BX],SI
011A     7D 24       JGE 0140
011C     45 49 43 41
         52 2D 53 54
         41 4E 44 41
         4E 54 49 56
         49 52 55 53
         2D 54 45 53
         54 2D 46 49
         4C 45 21 24 DB "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$"
0140     48          DEC AX
0141     2B 48 2A    SUB CX,[BX+SI+2A]

Not anywhere in that code will you find an INT 21 or even a call. So how does this thing print the string? Just load it up in debug to find out. Use the following command in debug:

p =100

Then just keep entering ‘p’ to walk through each instruction in the program and you’ll see how it work. Basically it modifies it’s own memory at the last 4 bytes of the file to int 21 in order to execute the functions and it plays around with the stack and bitwise operations to get the addresses and function numbers in the registers.

One thought on “Eicar Test File

  1. This is phun :)

    0100 58 POP AX ;AX = 0
    0101 35 4F 21 XOR AX,214F ;AX = 214F
    0104 50 PUSH AX ;save the value
    0105 25 40 41 AND AX,4140 ;AX = 140 : @ end
    0108 50 PUSH AX ;Giving the value to BX
    0109 5B POP BX ;
    010A 34 5C XOR AL,5C ;AX = 11C : @ of “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!”
    010C 50 PUSH AX ;Giving the value to DX
    010D 5A POP DX ;
    010E 58 POP AX ;AX = 214F
    010F 35 34 28 XOR AX,2834 ;AX = 97B
    0112 50 PUSH AX ;Giving the value to SI
    0113 5E POP SI ;
    0114 29 37 SUB [BX],SI ;[BX] = 2B48 —- 2B48 – 97B = 21 CD = Int 21 (print the ASCII string pointed by DX)
    0116 43 INC BX ;Next WORD
    0117 43 INC BX ;
    0118 29 37 SUB [BX],SI ;[BX] = 2A48 et 2A48 – 97B = 20 CD = Int 20 (exit)
    011A 7D 24 JGE 0140 ; -> jmp [BX] : print the string and exits
    011C 45 49 43 41
    52 2D 53 54
    41 4E 44 41
    4E 54 49 56
    49 52 55 53
    2D 54 45 53
    54 2D 46 49
    4C 45 21 24 DB “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$”
    0140 48 2B ;482B
    0142 48 2A ;482A

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: