EICAR-Test-File

Technical Details

EICAR is a short 68-byte COM file that is detected by anti-virus programs as a virus, but is actually NOT "VIRAL" at all. When executed it just displays a message and returns control to the host program.

Why is this harmless file detected as a virus? The file was created in order to demonstrate to users the messages and procedures that anti-virus programs display when a real virus is detected.

Some time ago researchers from several anti-virus companies were asked by users to develop a way to demonstrate what would happen in case of a real virus attack; a sort of simulation of which messages anti-virus programs will display and what actions will be recommended to perform, e.t.c.

After some time and thought toward how to best satisfy the request, the anti-virus researchers decided to release some virus-simulators that would be some harmless file that does nothing but display a message(s) and then exits to DOS (host OS). It was decided that this file could contain only ASCII characters so that users could type it or copy it from a User Guide. As a result the COM file looks as follows:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Despite having only ASCII characters, this COM file is nonetheless a legitime computer program that does work under DOS or in a DOS window under Windows, OS/2 or any other OS that is able to run DOS programs. When run or executed this COM-file simply displays a text message and exits to DOS. The displayed message looks as follows:

 EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

It is as simple as that, though a lot of anti-virus programs detect it as a virus named EICAR-Test-File or something close to this.