INFORMATION ON VIRUS

1. How to create a sample file virus file ?

This particular codes is taken from www.eicar.org. It is meant for virus test file BUT it doesn't have any effect on your computer.

STEP 1
You can type this code below : X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

STEP 2
Save it into eicar.com.txt using notepad.

STEP 3
Rename this file to eicar.com, and your antivirus will detect this as a virus.

2. How to test this code HEURISTICALLY ?

You can change some of the codes as below :

Smith1.Txt
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed STANDARD to STANDING)

Smith2.Txt
X5O!P%@AP[4PZX54(P^)7CC)7}$EICON-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Changed Eicar to Eicon)

Smith3.Txt
X5O!P%@AP[4PZX54(P^)7CC)7}$EICON-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed EICAR to EICON, and STANDARD to STANDING)

Smith4.Txt
X5O!P%@AP[4PZX54(P^)7CC)7}$BALLZ-STINDORK-ANTISACKS-TEST-FORK!$H+H*
(Random Words)

Smith5.Txt
X5O!P%@AP[4PZX54(P^)7CC)7}$!$H+H*
(Completely removed text string)

Smith6.Txt
X5O!P%@AP[42233PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Additional Numbers added to binary)

Smith7.Txt
X5O!P%@AP[42233PZX54(P^)7CC)7}$RAIC-TARNDARD-ILIKESMOKE-TUST-FULE!$H+H*
(Inserted Random letters with addition numbers added into binary)

Smith8.Txt
X5O22!P%@AP[4PZX5422(P^)7CC)7}$!$H+H*
(Removed text string, inserted 22 twice into string to break up signature)

Command AV 4.90.4 Results:
Started scan: 6/14/2004 4:33:03 PM

C:DownloadsSmithTestSmith1.txt Infection: EICAR_Test_File.unknown?
C:DownloadsSmithTestSmith2.txt Infection: EICAR_Test_File (exact)
C:DownloadsSmithTestSmith3.txt Infection: EICAR_Test_File.unknown?
C:DownloadsSmithTestSmith4.txt Infection: EICAR_Test_File.unknown?
C:DownloadsSmithTestSmith5.txt Infection: New or modified variant of Trivial
C:DownloadsSmithTestSmith6.txt Infection: New or modified variant of Trivial
C:DownloadsSmithTestSmith7.txt Infection: New or modified variant of Trivial
C:DownloadsSmithTestSmith8.txt Infection: New or modified variant of Trivial

3. How antivirus works?

Antivirus scans all files (executables and non-executrable files) looking for a pattern or virus signature. If the pattern is found, then the file will be cleaned. The pattern is in HEX form e.g EA779078... (I juz make this one out for example sake).

Actual example of hex codes or sometimes known as footprint codes are listed below (NOTE: Ox means the number is in HEX format; so if 0x57 means 57 in hex)
(1) Stoned virus [stoned]
 0x00 0x53 0x41 0x52 0x06 0x56 0x57 0xbe
(2) Ping Pong virus - version B [Ping]
&nbsp0xa1 0xf5 0x81 0xa3 0xf5 0x7d 0x8b 0x36 0xf9 0x81
(3) Friday 13th virus [Fri13]
&nbsp0xb4 0x4f 0xcd 0x21 0x73 0xf7 0x58

Actually, a binary file (executable file) or document (e.g. MS Word document) can be read easily by opening the file with the flag 'rb' (read binary). You can see the content in HEX. You can try do a project to simulate the output like in Ethereal. If you read MS Word document, you can see it in ASCII or HEX, but if the file is already secured with a PASSWORD, then you cannot see anything that can be understood.

You can also see the content of a file easily by downloading a free software called FileAnalyzer, very easy to use and I recommend that u try it.