Log in

View Full Version : EICAR sample virus implementation

dELTA
December 10th, 2003, 12:03
All large antivirus products have agreed to detect a sample "virus" called EICAR (http://www.eicar.org/anti_virus_test_file.htm), and respond to it as if it was a real virus. This is so that people should be able to test certain functionality without risking playing around with live viruses.

Anyway, the implementation of this "virus" is pretty cool, as it consists only of printable characters (to be easily copy/pasted, emailed and such) but it is still perfectly valid executable code.

Here it is in text format:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

When you save this string into a file and give it a .com extension (e.g. "eicar.com" it will constitute an executable program which will print "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!" on the screen and exit when you run it.

I disassembled it just for fun, and it goes like this:
Code:


seg000:0100   public start

seg000:0100 start proc near

seg000:0100   pop   ax

seg000:0101   xor   ax, 214Fh

seg000:0104   push  ax

seg000:0105   and   ax, 4140h

seg000:0108   push  ax

seg000:0109   pop   bx

seg000:010A   xor   al, 5Ch

seg000:010C   push  ax

seg000:010D   pop   dx

seg000:010E   pop   ax

seg000:010F   xor   ax, 2834h

seg000:0112   push  ax

seg000:0113   pop   si

seg000:0114   sub   [bx], si

seg000:0116   inc   bx

seg000:0117   inc   bx

seg000:0118   sub   [bx], si

seg000:011A   jge   some_jump

seg000:011A ; ----------------------------------------------------------

seg000:011C aEicarStandardA db 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!'

seg000:013F   db  24h ; $   (DOS string terminator)

seg000:0140 ; ----------------------------------------------------------

seg000:0140 

seg000:0140 some_jump:                              ; CODE XREF: start+1Aj

seg000:0140   dec   ax

seg000:0141   sub   cx, [bx+si+2Ah]

seg000:0141 start endp


What caught my interest is that I'm not quite sure how this program can print something on the screen?

Since I'm not very familiar with the initial registry values of DOS com-files, I cannot really "trace it in my head", but one thing I can see is that except for two instructions (114 and 118) it only modifies registries and values on the stack, and this should not be able to print out anything on the screen in DOS as far as I know.

My guess is that the instructions at 114 and 118 are some kind of self-modifying code, which produces the correct interrupt instructions at some other point in the code, or that they are writing to some magic operating system addresses, which in turn produces the output of the text, but I'm not sure.

So, are there any old DOS wizards around who'd care to shed some light on it and milden my curiosity?


dELTA
disavowed
December 10th, 2003, 13:45
Normally, I'd point you to:
http://www.geocities.com/thestarman3/asm/eicar/eicarcom.html

But since Geocities is currently saying, "The web site you are trying to access has exceeded its allocated data transfer," you can look at Google's cache at:
http://216.239.41.104/search?q=cache:wPkM-ayROM8J:www.geocities.com/thestarman3/asm/eicar/eicarcom.html
dELTA
December 10th, 2003, 15:12

Aw, come on, I just wanted to share some little interesting thingy with the rest of you guys, there's been so few posts in the off-topic forum lately.

Anyway, seems like my guess about the self-modifying, interrupt instruction producing code was correct.
nofurs
December 10th, 2003, 15:21
hxxp://www.absolutelock.de/construction/infobase.html

There are some infos about dos unpacking maybe you will be interested
disavowed
December 10th, 2003, 20:17
Quote:
[Originally Posted by dELTA] Aw, come on...

i had wanted to put a smiley or something after the picture so as to not offend you too much, but evidently you can't put text after an attached image
dELTA
December 10th, 2003, 22:13
That's what they all say...
JMI
December 10th, 2003, 22:39
Especially if it violates some poor fellow's copyright.

Regards.