EICAR-Test-File
Aliases
EICAR-Test-File (
Kaspersky Lab) is also known as: EICAR-AV-Test (
Sophos), EICAR_Test_File (
RAV), Eicar_test_file (
Trend Micro), Eicar-Test-Signature (
H+BEDV), EICAR_Test_File (
FRISK), EICAR_Test (+356) (
Grisoft), Eicar-Test-Signature (
ClamAV), Eicar.Mod (
Panda)
Description added : Jul 07 2003
Behavior : Virus
Technical details
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually
NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program.
Why is this harmless file detected as a virus? The file was created in order to demonstrate to users the messages and procedures that anti-virus programs display when a real virus is detected.
Some time ago researchers from several anti-virus companies were asked by users to develop a way to demonstrate what would happen in case of a real virus attack; a sort of simulation of which messages anti-virus programs will display and what actions will be recommended to perform, e.t.c.
After some time and thought toward how to best satisfy the request, the anti-virus researchers decided to release some virus-simulators that would be some harmless file that does nothing but display a message(s) and then exits to DOS (host OS). It was decided that this file could contain only ASCII characters so that users could type it or copy it from a User Guide. As a result the COM file looks as follows:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Despite having only ASCII characters, this COM file is nonetheless a legitime computer program that does work under DOS or in a DOS window under Windows, OS/2 or any other OS that is able to run DOS programs. When run or executed this COM-file simply displays a text message and exits to DOS. The displayed message looks as follows:
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
It is as simple as that, though a lot of anti-virus programs detect it as a virus named
EICAR-Test-File or something close to this.
#Source