Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Obtaining a "Faux Virus"?

0 views
Skip to first unread message

(PeteCresswell)

unread,
Nov 21, 2009, 10:21:32 AM11/21/09
to
I want to test the behavior of my anti-virus program (Avast).

To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).

With something like that, I could provoke the anti-virus
program's alerts, take screen snaps of them for user education,
and so-forth.

I could also see what happens when somebody ignores an alert on
their PC and tries to save an infected file to the server.

Anybody know of anything in this vein?

Or is there another way?
--
PeteCresswell

Beauregard T. Shagnasty

unread,
Nov 21, 2009, 12:03:58 PM11/21/09
to
(PeteCresswell) wrote:

> I want to test the behavior of my anti-virus program (Avast).
>
> To that end, I'd like to get hold of something that looks like a
> virus (contains a known signature?) but doesn't act like a virus
> (no damage if I accidentally let it loose on my PC or server).

Google for: eicar test file

--
-bts
-Friends don't let friends drive Windows

FromTheRafters

unread,
Nov 21, 2009, 5:08:19 PM11/21/09
to
"(PeteCresswell)" <x...@y.Invalid> wrote in message
news:f61gg5ltolqm6uo51...@4ax.com...

>I want to test the behavior of my anti-virus program (Avast).
>
> To that end, I'd like to get hold of something that looks like a
> virus (contains a known signature?) but doesn't act like a virus
> (no damage if I accidentally let it loose on my PC or server).

Paste this (without the parentheses), all by itself, in a text file
(using notepad).

(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)

If your AV doesn't alert to it as a text file (some won't), rename it to
a com filetype.

> With something like that, I could provoke the anti-virus
> program's alerts, take screen snaps of them for user education,
> and so-forth.

That string was designed for exactly that purpose.

> I could also see what happens when somebody ignores an alert on
> their PC and tries to save an infected file to the server.

Yes, and most (if not all) AV programs will have the signature in their
database.

> Anybody know of anything in this vein?
>
> Or is there another way?

There *is* another way, but it is not as safe. The EICAR string is more
than a string, it is actually a small program with self-modifying code.

Dustin Cook

unread,
Nov 21, 2009, 11:56:44 PM11/21/09
to
"FromTheRafters" <err...@nomail.afraid.org> wrote in news:he9ocl$h8a$1
@news.eternal-september.org:

Unless the EICAR file has been changed since it was originally released,
it's not self modifying code; it displays a message to the screen and
exits. It's slightly special codewise because it's creator was sure to
use only printable ascii characters. *grin*.


--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Message has been deleted

Beauregard T. Shagnasty

unread,
Nov 22, 2009, 7:58:11 AM11/22/09
to
ASCII wrote:

> FromTheRafters wrote:
>>There *is* another way,
>
> hXXp://tinyurl.com/ygckpgz

Why use tinyurl for such a short real URL?

hXXp://vx.netlux.org/vx.php?id=sr00

Aah. "vx" <g>

Ant

unread,
Nov 22, 2009, 10:18:49 AM11/22/09
to
"Dustin Cook" wrote:

> "FromTheRafters" wrote:
>> The EICAR string is more than a string,
>> it is actually a small program with self-modifying code.
>
> Unless the EICAR file has been changed since it was originally released,
> it's not self modifying code; it displays a message to the screen and
> exits. It's slightly special codewise because it's creator was sure to
> use only printable ascii characters. *grin*.

But in order to work it has to modify the last four characters (H+H*)
of the eicar string because the instructions 'int 20' and 'int 21' are
not printable ASCII. Here's the final part of the code where it occurs:

0114 2937 SUB [BX],SI ; modify loc 0140
0116 43 INC BX
0117 43 INC BX
0118 2937 SUB [BX],SI ; modify loc 0142
011A 7D24 JGE 0140 ; jumps to 0140
...
0140 CD21 INT 21 ; print message
0142 CD20 INT 20 ; exit


George Orwell

unread,
Nov 22, 2009, 5:59:14 AM11/22/09
to

"ASCII" <m...@privacy.net> gobfarted:

> FromTheRafters wrote:
>>There *is* another way,
>
> http://turdyurl.com/ygckpgz

You utter fucking IDIOT!

People with less intelligence than you are few and far between!
Rosenthal is one of them! You should quote the loonie fuckwit
every day because it''s the best chance you''ll ever get to make
Usenet think you're only nine-tenths retarded, you SPASTIC!

Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it

(PeteCresswell)

unread,
Nov 22, 2009, 4:26:37 PM11/22/09
to
Per FromTheRafters:

>Paste this (without the parentheses), all by itself, in a text file
>(using notepad).
>
>(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
>
>If your AV doesn't alert to it as a text file (some won't), rename it to
>a com filetype.

That seems tb doing the trick. Thanks.

FWIW, Avast's catching it and issuing notifications does not seem
tb that consistent - unless (not unlikely) I'm missing something.
--
PeteCresswell

FromTheRafters

unread,
Nov 22, 2009, 4:46:45 PM11/22/09
to
"Dustin Cook" <bughunte...@gmail.com> wrote in message
news:Xns9CCAF3D9737...@69.16.185.247...

> "FromTheRafters" <err...@nomail.afraid.org> wrote in
> news:he9ocl$h8a$1
> @news.eternal-september.org:

>> There *is* another way, but it is not as safe. The EICAR string is

>> more
>> than a string, it is actually a small program with self-modifying
>> code.
>
> Unless the EICAR file has been changed since it was originally
> released,
> it's not self modifying code; it displays a message to the screen and
> exits. It's slightly special codewise because it's creator was sure to
> use only printable ascii characters. *grin*.

To the best of my knowledge, the only thing that has changed is in the
way that the scanners are supposed to detect it. It used to have to be
only the 68 (or 70 w/CRLF) bytes - they have since changed it to include
some amount of trailing whitespace for some reason.


FromTheRafters

unread,
Nov 22, 2009, 4:56:10 PM11/22/09
to
"ASCII" <m...@privacy.net> wrote in message
news:4b08e2dd.2041906@EBCDIC...

> FromTheRafters wrote:
>>There *is* another way,
>
> http://tinyurl.com/ygckpgz

...and wasn't it Vecna that made a generator for creating FP detections?

(what a hoot)

Do AV programs "retire" old definitions for long ago patched exploit
based malware. I wouldn't expect them to, so having one land on your
harddrive as a file (or embedded in an e-mail to test your (yuck) e-mail
scanner) should pose no real risk, and yet actually test the AV to some
extent.


FromTheRafters

unread,
Nov 22, 2009, 5:04:25 PM11/22/09
to
"(PeteCresswell)" <x...@y.Invalid> wrote in message
news:l2bjg5tmjs1rrkdv3...@4ax.com...

I don't know what inconsistencies you are experiencing, but the EICAR
detection is very specific - can not (should not) be detected outside of
the specifications (see the eicar.com website).

I'm not too sure (haven't tried it) but it may be possible to save it as
an exe so that the OS's file browser causes an alert when it is accesed
for icon information (when you enter the directory it is in, or
otherwise attempt to display the icon). On your desktop, as a comfile,
the detection may be different than it is on your desktop as an
exefile - one would alert without the user clicking anything.

...but like I said, I haven't tried this.


FromTheRafters

unread,
Nov 22, 2009, 5:10:59 PM11/22/09
to
"George Orwell" <nob...@mixmaster.it> wrote in message
news:f593803858c5d16d...@mixmaster.it...

>
> "ASCII" <m...@privacy.net> gobfarted:
>> FromTheRafters wrote:
>>>There *is* another way,
>>
>> http://turdyurl.com/ygckpgz
>
> You utter fucking IDIOT!
>
> People with less intelligence than you are few and far between!
> Rosenthal is one of them! You should quote the loonie fuckwit
> every day because it''s the best chance you''ll ever get to make
> Usenet think you're only nine-tenths retarded, you SPASTIC!

I'm replying to you because I haven't (yet) filtered out the
anon-remailers or whatever they call them.

Myself, I would not have any problem with VX websites. I would *not*
however recommend them to others. Part of what ASCII snipped was my "but
it is not as safe" statement.


George Orwell

unread,
Nov 23, 2009, 5:19:31 AM11/23/09
to

"Toxic" <staring@my_soft_dick> gobfarted:
>
> Yo "ASSKEY"
> eal chortle how all your detractors feel the need to hide,
> says loads about their validity, but then those down under 'has beens',
> if they ever were, don't start with much credibility from the get go.
> And yes, I've heard of Doren Rosenthal, much more there than any of the
> jealous nymshits that can't code their way out of a used sanitary nappy.

yet another projectile vomit of puerile gobshite from a discarded
condom hatchling hiding behind the nym it pretends is not a nym.

ooze away and die, spermbreath.

Message has been deleted

Anonymous

unread,
Nov 24, 2009, 2:33:55 AM11/24/09
to

"Toxic" <staring@my_hd.tv> ecrit:
> On Sun, 22 Nov 2009 12:14:30 +0100, Anonymous gobfarted:
>
> Yo "A"
> eal chortle how all your detractors feel the need to hide,
> says loads about their validity, but then those down under 'has beens',
> if they ever were, don't start with much credibility from the get go.
> And yes, I've heard of Doren Rosenthal, much more there than any of the
> jealous nymshits that can't code their way out of a used sanitary nappy.

BWAAAHAAHHAAAAHHAAAAAHHAAAAAA!!!!!!!!

Toxic Thrush Boy wants to play with the big kids again!

Did your ever tell your felch pal ASCII why your foreskin
always smells like sardines?

Dickhead!


0 new messages