hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Trojan & Virus Errata
sk3tch
Jun 3 2005, 11:43 AM
Hi guys,

Long time, no post!

Anyway - I'm trying to convert the eicar.com file (available at http://www.eicar.org/anti_virus_test_file.htm) to a true Win32 executable so I can then pack it with Molebox, FSG, Morphine, etc etc so I can test AV software.

I'm sure there is an easy solution to this but I'm not aware of it - any help would be appreciated! I'd prefer that it is a "clean" file - i.e. just eicar.com converted to exe. I've already tried putting eicar.com into a self-extracting zip and a self-extracting rar - both seem to cause issues when I try to further pack them (I've tried PECompact, Molebox so far).

THANKS!!!!
sk3tch
Jun 3 2005, 04:59 PM
Or maybe I'm being a n00b and what I'm asking isn't really possible...if so - do you guys know of a way to package the eicar.com test file in a "standard" way. What I need is a base file that is compatible with all of the packers/crypters, and it needs to be the same across the board so the test is fair. The base file (before being packed/crypted/etc) also needs to be detected as eicar by AV, otherwise it would be too many changes to eicar.com.

So it'd look like this:

eicar.com --> eicar.com packaged in exe --> eicar.com packaged in exe + packed with xx

The test is to see which AV products detect which packers/crypters.
sk3tch
Jun 4 2005, 02:17 AM
Bump...anybody?

Perhaps I'll just have to figure out how to get the self-extracting zip and/or self-extracting rar to work...
sk3tch
Jun 4 2005, 02:45 PM
OK to continue my theme of talking to myself... cool.gif

I figured it out. Created a zip of the eicar.com file with WinZip 9.0 SR-1 (latest one available from winzip.com), using no compression. Then I used the WinZip Self-Extractor Personal Edition that was included with WinZip 9.0 SR-1 to make an exe of the zip. Ran the resulting file through Jotti's virus scan and it was detected by most AV as eicar still. From there I'm packing and so far so good (PEcompact and MEW tested so far).

I guess the problem may have been I was using WinRAR for the previous zip files...even with the lowest compression it actually does compress a bit so the packers bark that it has already been compressed.

So..thanks for listening and maybe I helped someone with my n00b-ish thread. heh.
saetji
Jun 4 2005, 02:51 PM
Happy to be of assisstance. Do let us know if we can help in any other way biggrin.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.