C language program is detected as a virus
https://stackoverflow.com/questions/2443166
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\nUnion = %d",sizeof(b));
printf("\nStructure = %d",sizeof(c));
getch();
}
I have saved this program as virus.cpp. I am using Turbo C compiler to compile this program and run from Turbo C (Ctrl + F9).
I am using Windows 7 and I have installed Avira AntiVir virus system.
When I tried to run above program, it creates a worm (DOS/Candy). I believe there is nothing wrong in program.
Now here is something special. Execute the same program with following difference. Here the only difference is space between \n:
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\n Union = %d",sizeof(b));
printf("\n Structure = %d",sizeof(c));
getch();
}
The difference is only \n and space. My question is, why is my simple program is detected as virus?
Here is another code sample, this time for C++:
#include<iostream.h>
#include<conio.h>
class A
{
int a,b;
public:
A()
{
a=0;b=0;
}
A(int x)
{a=x;
b=0;
}
A(int x,int y)
{
a=x;
b=y;
}
~A()
{
cout<<"All things are deleted.";
}
void get()
{
cout<<"\nA = "<<a;
cout<<"\nB = "<<b;
}
};
void main()
{
A a1(5,10);
clrscr();
a1.get();
getch();
}
When I run this program it gives "Virus Warning" - Even it is not an virus. Now, the tragedy is when you remove destructors, it won't detect it as virus.
Here is the screen shot and similar question:
C Language - \n - creating virus
The question is how, and why?
Solution
Looks like a false-positive. Because modern viruses use polymorphism to hide from anti-virus programs, the anti-virus program has to report even partial matches, and apparently your compiler with the given source code produces a partial match to that malware.
OTHER TIPS
Virus scanners use heuristics and signatures to detect vulnerabilities. False positives are unavoidable. Your program seems to trigger the heuristic. Presumably its checksum, file size or other characteristics match a known virus. This is seconded by the fact that a small change is sufficient to resolve the problem.
EDIT Calling your application Virus.exe is a pretty unfortunate choice, and I'd presume it will trigger most virus scanners quickly (although it's certainly not a perfect name for a real virus ...).
I think you have a real virus somewhere, that perhaps have modified the standard libraries :D Or simply the antivirus detects a pattern in the executable.
See http://www.viruslist.com/en/viruses/encyclopedia?virusid=1857 .
My guess is that Antivir scans through text strings that DOS/Candy contains, and since the one in the second piece of code is like the one it's looking for, Antivir detects the compiled executable as a virus.
