C Language - \n - creating virus

Question

#include<stdio.h>
#include<conio.h>
union abc
{
    int a;
    int x;
    float g;
};
struct pqr
{
    int a;
    int x;
    float g;

} ;

void main()
{
    union abc b;
    struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\nUnion = %d",sizeof(b));
printf("\nStructure = %d",sizeof(c));
getch();
}

Now, Save this program as virus.cpp ( or any name that you like ) I am using Turbo C comiler to complie this program & run from trubo c. ( Ctrl + F9 )

I don't know weather to ask this question at stack over flow or at super user.

I am using Windows 7 & I have installed Avira AntiVir virus system. I am not here for any kind of advertisement of microsoft or antivirus system.

I am just here for solution of my query.

When I tried to run above program - It creates a worm (DOS/Candy).

I believe there is nothing wrong in program.

Oke..

Now here is something special. Execute the same program with following difference. Here the only difference is space between \n

#include<stdio.h>
#include<conio.h>
union abc
{
    int a;
    int x;
    float g;
};
struct pqr
{
    int a;
    int x;
    float g;

} ;

void main()
{
    union abc b;
    struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\n Union = %d",sizeof(b));
printf("\n Structure = %d",sizeof(c));
getch();
}

The difference is only \n and space.

Question is "Why my simple program is detected as virus?? "

Thanks in advance for sharing your knowledge.

Sagar.

Another question here. For C++.

#include<iostream.h>
#include<conio.h>
class A
{
    int a,b;
public:
    A()
    {
        a=0;b=0;
    }

    A(int x)
    {a=x;
    b=0;
    }

    A(int x,int y)
    {
    a=x;
    b=y;
    }

    ~A()
    {
    cout<<"All things are deleted.";
    }

    void get()
    {
    cout<<"\nA = "<<a;
    cout<<"\nB = "<<b;
    }
};

void main()
{

A a1(5,10);
clrscr();
a1.get();
getch();
}

Oke. I have a simple C++ program here. When I run this program It gives "Virus Warning" - Even it is not an virus.

Now. the tragedy is "When you remove destructors - It won't detect it as virus "

Here is the screen shot & similar question - http://stackoverflow.com/questions/2443166/c-language-n-creating-virus

The question is How? Why?

Thanks in advance for sharing your knowledge.

Sagar.

Answer 1

Virus scanners use heuristics and signatures to detect vulnerabilities. False positives are unavoidable. Obviously, your first program seems to trigger the heuristic, or its checksum, file size, ... matches a known virus. This is seconded by the fact that a small change is sufficient to resolve the problem.

EDIT I see you named your app Virus.exe. That's a pretty unfortunate name for an application, and I'd presume it will trigger most virus scanners quickly (although it's certainly not a perfect name for a real virus ...).

Answer 2

I think you have a real virus somewhere, that perhaps have modified the standard libraries :D Or simply the antivirus detects a pattern in the executable.

Answer 3

See http://www.viruslist.com/en/viruses/encyclopedia?virusid=1857 .

My guess is that Antivir scans through text strings that DOS/Candy contains, and since the one in the second piece of code is like the one it's looking for, Antivir detects the compiled executable as a virus.

Answer 4

Looks like a false-positive. Because modern viruses use polymorphism to hide from anti-virus programs, the anti-virus program has to report even partial matches, and apparently your compiler with the given source code produces a partial match to that malware.