Virus Database

EICAR-Test-File

Description EICAR-Test-File
EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program.
Why is this harmless file detected as a virus? The file was created in order to demonstrate to users the messages and procedures that anti-virus programs display when a real virus is detected.
Some time ago researchers from several anti-virus companies were asked by users to develop a way to demonstrate what would happen in case of a real virus attack; a sort of simulation of which messages anti-virus programs will display and what actions will be recommended to perform, e.t.c.
After some time and thought toward how to best satisfy the request, the anti-virus researchers decided to release some virus-simulators that would be some harmless file that does nothing but display a message(s) and then exits to DOS (host OS). It was decided that this file could contain only ASCII characters so that users could type it or copy it from a User Guide. As a result the COM file looks as follows:
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Despite having only ASCII characters, this COM file is nonetheless a legitime computer program that does work under DOS or in a DOS window under Windows, OS/2 or any other OS that is able to run DOS programs. When run or executed this COM-file simply displays a text message and exits to DOS. The displayed message looks as follows:
EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

It is as simple as that, though a lot of anti-virus programs detect it as a virus named EICAR-Test-File or something close to this.
Kaspersky Anti-Virus software detects this file only if the file name EICAR.AVC is listed in the AVP.SET file. At user request, the EICAR.AVC file has been removed from the main Kaspersky Anti-Virus database.

Check other viruses! Be aware! Use Antiviral Software

Foo.956

Description Foo.956

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for COM files in current and in parent directories, then in C:WINDOWS directory and infects not more than three files found. While infecting the virus writes itself to the end of the file. The virus pays attention to the internal self-checking Windows32 ability and fix the necessary date ("ENUNS" field at the end of Windows COM files) while infecting them.
The virus uses anti-debugging tricks. On 29th of any month it displays the message and halts the computer:
--FOO VIRUS--
WE'RE ALL STARS NOW, IN THE DOPESHOW
MADE IN THE UK, WE EXIST..

Forever.912

Description Forever.912

It is not a dangerous memory resident parasitic virus. It traces and hooks INT 21h and writes itself to the end of EXE files that are executed. The virus contains the text string:
No WINDOWS, MS-DOS foreverall

Home