Where's the fun in that?? 8-)
Actually, it doesn't.

I mean, I take your word for it that, in your testing, VirusScan
detected "Elspy.worm" as a result of running that .CMD file (my own
tests with a console version of VirusScan against the "testfile"
resulting from the following reported "Found the Elspy.worm virus !!!",
so I'm happy to accept the on-access scanner will do something
similar), but VirusScan is NOT detecting this in 'the "industry
standard" EICAR test file'.
*>testfile
You mention "CMD" so I'm assuming the versions(s) of Windows you tested
this on were NT-based rather than Win16 or Win9x.
(YMMV).

As I already said, I'll take your word for this detection, BUT your
claim is outright wrong.

Did you actually look at the "testfile" created by your na=EFve .CMD
file?

The first thing I noticed was that it was the wrong size. I expected
it would be 69 bytes (more on why in a moment), but in fact it was even
shorter at 68 bytes.

68 bytes is the length of the bare test string. The official EICAR
specification for the test file:

http://www.eicar.org/anti_virus_test_file.htm

says that the file MUST start with the 68-byte string we see in your
.CMD file and that it "may be optionally appended by any combination of
whitespace characters with the total file length not exceeding 128
characters. The only whitespace characters allowed are the space
character, tab, LF, CR, CTRL-Z."

As the ECHO command necessarily emits a CRLF line-break, had your .CMD
file worked as expected, one would have seen "testfile" at 70 bytes
(the 68 of the EICAR test string, plus the two from ECHO's CRLF).

I said I was, however, expecting it to be 69 bytes. Why?

Well, you did not escape the "%" character (the sixth in the EICAR test
string), and _within .BAT and .CMD file_ these have special meaning,
such that they are stripped unless protected by escaping ("%%"), and
possibly in some instances with quoting.

In actuality though, "testfile" ends up being 68 bytes. A quick look
at "testfile" shows that the caret ("^"; the 20th character in the
EICAR test string) has also been dropped, reminding me that it is also
a special character (even at the bare commandline this time) and must
also be escaped/quoted if intended to be treated as a literal.
If this makes him/her look any more of a clueless idiot than it makes
you look, then I guess, as they say, your organization has bigger
problems...
Now, I'm not entirely disagreeing that it is strange that VirusScan
detects this weirdly mutant, "non-EICAR test file", but it certainly is
NOT mis-identifying 'the "industry standard" EICAR test file'.

As for your lameness in missing that the file you were generating was
NOT the file you were trying to generate -- I'll leave that up to
others to decide...
Pity -- you might have saved yourself the embarrassment of this public
disclosure of your lameness.
They must be sooooo proud of you...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/