GeoApps Eicar Test Page

Friday, March 01, 2002

Click [eicarsimple.htm] for a Windows95/98/Me version of http://security.greymagic.com/adv/gm001-ie/
Click [eicar98.htm] for a Windows95/98/Me/NT/2000 version of http://www.liquidwd.freeserve.co.uk

Friday, March 15, 2002

McAfee VirusScan 4190 detects the GreyMagic item as Exploit-Codebase. http://vil.nai.com/vil/content/v_99383.htm

Virus Characteristics

This is a generic detection of malware which tries to exploit a Microsoft Internet Explorer data binding vulnerability, which was discovered February 25, 2002. This exploit could result in an executable file being run without the users permission or knowledge, when visiting a web page or viewing HTML email message. This affects Internet Explorer 4.x and higher, Microsoft Outlook, and Microsoft Outlook Express. At the time this description was created, a patch was not yet available from Microsoft.

Tuesday, February 26, 2002

NOTE: THIS MAY NOT ACTUALLY BE A SERIOUS PROBLEM
Further extensive testing is being undertaken to determine if "nasties" can be executed in this way or if this is just an example of a false positive. Stay tuned here ... as of Friday, March 01, 2002, still haven't heard back from the people at NTBugTraq who were investigating this further.

I _think_ this is what is going on:

browser reads HTML from website
browser interprets HTML
browser writes HTML to cache
virus scanner catches "infection" during file-write

If this is the case, there is nothing unusual going on, and if the "eicar" test were in fact an executable virus/trojan, it would probably have been caught during its writing of nasty stuff.

Monday, February 25, 2002 updated Friday, March 1, 2002

There are five identical files linked-to from this page. All contain the EICAR test "virus" as the first line and then a simple HTML page for the rest. The first one is linked-to as an HTM file, the second as a JPG file. Most browsers will just display the text that precedes the first <html> tag as plain text. The local files are on an IIS4 server running on WinNT4, and two of the files are on a remote server running Apache/OpenBSD. I did this so I could "sniff" the traffic and see if the http headers were actually different for the different file names. They are - the http server tells the browser what kind of file is being sent based on the file extension even on Apache running on Unix.

eicartest.htm on an IIS server running on Windows NT
Trying to open this file in any browser with a virus shield running should trigger a warning.
eicartest.htm on an Apache server running on OpenBSD
Trying to open this file in any browser with a virus shield running should trigger a warning.
eicartest.zip on an IIS server
This is just eicartest.htm renamed to .zip.
eicartest.jpg on an IIS server running on Windows NT
Trying to open this file in any browser with a virus shield running should trigger a warning OR cause it to appear as a broken-image icon. If you can open that in your browser
eicartest.jpg on an Apache server running on OpenBSD
Trying to open this file in any browser with a virus shield running should trigger a warning OR cause it to appear as a broken-image icon. If you can open that in your browser and it appears to be an HTML file without triggering the EICAR virus warning, you have a problem.
eicartest-loaded.gif
Shows that McAfee VShield 4.5.1 running on Windows 2000 Pro with default extensions set does NOT prevent the display of this "infected" HTML file -- it allows the browser to load it first and THEN notifies you that you have opened an "infected" file.
McAfee 4.0.3 on Win98SE and F-Prot on Win98SE display functionally identical results, first loading and displaying the "infected" HTML file and THEN notifying you that it is "infected".
netscape-fprot-eicar.gif
Shows that the current version of F-Prot also does NOT prevent the display of this "infected" HTML file -- it, too, allows the browser to load it first and THEN notifies you that you have opened an "infected" file.

There are reports that IE6 will open eicartest.jpg as an html file. This may have been patched in one of the recent cumulative patches for IE: MS01-055.asp or MS02-005.asp, but there are still reports it isn't fixed.

Please report back ANY browsers which will open eicartest.jpg as an HTML file to angussf@geoapps.com. Please also report back what real-time virus-scanner, if any, you are using.

Having trouble? Send e-mail to angussf@geoapps.com

GeoApps Website designed and hosted by