#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\nUnion = %d",sizeof(b));
printf("\nStructure = %d",sizeof(c));
getch();
}
I have saved this program as virus.cpp. I am using Turbo C compiler to compile this program and run from Turbo C (Ctrl + F9).
I am using Windows 7 and I have installed Avira AntiVir virus system.
When I tried to run above program, it creates a worm (DOS/Candy). I believe there is nothing wrong in program.
Now here is something special. Execute the same program with following difference. Here the only difference is space between \n:
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\n Union = %d",sizeof(b));
printf("\n Structure = %d",sizeof(c));
getch();
}
The difference is only \n and space. My question is, why is my simple program is detected as virus?
Here is another code sample, this time for C++:
#include<iostream.h>
#include<conio.h>
class A
{
int a,b;
public:
A()
{
a=0;b=0;
}
A(int x)
{a=x;
b=0;
}
A(int x,int y)
{
a=x;
b=y;
}
~A()
{
cout<<"All things are deleted.";
}
void get()
{
cout<<"\nA = "<<a;
cout<<"\nB = "<<b;
}
};
void main()
{
A a1(5,10);
clrscr();
a1.get();
getch();
}
When I run this program it gives “Virus Warning” – Even it is not an virus. Now, the tragedy is when you remove destructors, it won’t detect it as virus.
Here is the screen shot and similar question:
C Language – \n – creating virus
The question is how, and why?
Looks like a false-positive. Because modern viruses use polymorphism to hide from anti-virus programs, the anti-virus program has to report even partial matches, and apparently your compiler with the given source code produces a partial match to that malware.