ET DELETED EICAR test file with MZ header double-stacking AV evasion technique

SID: 2012591Rev: 51 views
History
Sourceet/open
CreatedMarch 28, 2011
UpdatedJuly 26, 2019
Classificationbad-unknown
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:5; metadata:created_at 2011_03_28, signature_severity Unknown, updated_at 2019_07_26;)

References

urlisc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612
urlwww.eicar.org/anti_virus_test_file.htm

Metadata

created at2011_03_28
signature severityUnknown
updated at2019_07_26

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!