Thread: Did I Accidentally Create a Virus?

  1. #1
    Registered User
    Join Date
    Jul 2012
    Posts
    36

    Did I Accidentally Create a Virus?

    Hello all, so I was just opening up the C++ compiler recommended by this site's tutorial and already I may have done something damaging.

    I was messing around with the intro code and commented out a line to see what would happen. Here's the code I wrote (well, I can't really say wrote, most of it is copied from the tutorial, and the comments were sections of the text to help me remember things about what the code in each line meant, I'm really sorry, if I'm not supposed to re-post that stuff here, it was just for my educational benefit):

    Code:
    #include <iostream> // A quote from the tutorial I'm learing from: "The #include is a "preprocessor" directive that tells the compiler to put code from the header called iostream into our program before actually creating the executable. By including header files, you gain access to many different functions. For example, the cout function requires iostream."
    
    using namespace std; // A quote from the tutorial I'm learning from: "This line tells the compiler to use a group of functions that are part of the standard library (std). By including this line at the top of a file, you allow the program to use functions such as cout."
    
    int main() // Quote: "This line tells the compiler that there is a function named main, and that the function returns an integer, hence int. The "curly braces" ({ and }) signal the beginning and end of functions and other code blocks. You can think of them as meaning BEGIN and END."
    {
        cout<<"You are not stupid.\n"; // This is how text is printed using the cout function. a quote from the book: "In C++, however, the cout object is used to display text (pronounced "C out"). It uses the << symbols, known as "insertion operators", to indicate what to output. cout<< results in a function call with the ensuing text as an argument to the function. The quotes tell the compiler that you want to output the literal string as-is. The '\n' sequence is actually treated as a single character that stands for a newline (we'll talk about this later in more detail). It moves the cursor on your screen to the next line."
        //cin.get(); // another quote: "This is another function call: it reads in input and expects the user to hit the return key. Many compiler environments will open a new console window, run the program, and then close the window. This command keeps that window from closing because the program is not done yet because it waits for you to hit enter. Including that line gives you time to see the program run."
    }
    Anyway, when I ran this program, which I knew was missing the important get() function (I just wanted to see what would happen X( ), AVG popped up and claimed that a threat named "Trojan horse Agent3.BLKR" had been detected in the program I just compiled!

    I moved it to the vault and undid the comment. Then, when I ran it again, the program worked perfectly fine and AVG didn't have any complaints. I looked up the trojan it mentioned, but couldn't find much with a cursory search.

    Out of curiosity, I tried commenting out the line again, and sure enough, AVG detected the virus once more!

    I'm really confused here, because I'm not sure how a virus could have gotten into a program I made milliseconds ago, or why it would be detected only when I commented out that one line. It made me wonder if I was somehow just setting off red flags that were common to another virus or if I was really infected with something. So I ask of you, is it possible to set off anti-virus software with programming like this? Or am I somehow making an already present infection more visible?

    I'm sorry if this is a really stupid question, but I could really use any advice you could give.

  2. #2
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    Just to be safe, you should scan your computer for viruses.
    Given that there are none, I am pretty sure it's a false positive. You might try reporting it if you can, because this is not any virus code.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  3. #3
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    That should not happen. Looks like it's time to toss your antivirus out the window.
    Code:
    //try
    //{
    	if (a) do { f( b); } while(1);
    	else   do { f(!b); } while(1);
    //}

  4. #4
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,656
    Some AV tools work by comparing hashes of files against a database of known "good" files.

    Any new program you create will have a unique hash (not seen elsewhere), and wiill therefore be flagged as suspect.

    Consider doing this
    AVG Free | How to exclude some folder or file from AVG Resident Shield scanning | FAQ
    That is, making your C:\D&S\user\Documents\projects\code root (of where you develop all your code) to be off limits to the AV scanner.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  5. #5
    Registered User
    Join Date
    Jul 2012
    Posts
    36
    Quote Originally Posted by Salem View Post
    Some AV tools work by comparing hashes of files against a database of known "good" files.

    Any new program you create will have a unique hash (not seen elsewhere), and wiill therefore be flagged as suspect.

    Consider doing this
    AVG Free | How to exclude some folder or file from AVG Resident Shield scanning | FAQ
    That is, making your C:\D&S\user\Documents\projects\code root (of where you develop all your code) to be off limits to the AV scanner.
    Ah, that makes sense, thank you. I'll run a virus scan to be sure, as was recommended above, but honestly I'm just glad for an explanation of why what happened likely happened.

  6. #6
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    AVG is known to have quite a few false positives. I suspect this is one of many of them.

  7. #7
    Algorithm Dissector iMalc's Avatar
    Join Date
    Dec 2005
    Location
    New Zealand
    Posts
    6,318
    We get false positives all the time with Trend Micro at work, for stuff we've just compiled, targetting an embedded 386 platform.

    It's really surprising that such a tiny simple program would cause it though.
    My homepage
    Advice: Take only as directed - If symptoms persist, please see your debugger

    Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"

  8. #8
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    Agreed. But if the hashes match or somehow matches the internal algorithm of AVG it will flag it as a virus. I had a lot of trouble with AVG flagging all kinds of programs as malicious when I knew for sure they were not. Because of that I switched to Avira and many of the false positives went away.

  9. #9
    SAMARAS std10093's Avatar
    Join Date
    Jan 2011
    Location
    Nice, France
    Posts
    2,694
    How do you explain the fact that the "Trojan horse Agent3.BLKR" is appearing only when he makes the line a comment?

  10. #10
    Lurking whiteflags's Avatar
    Join Date
    Apr 2006
    Location
    United States
    Posts
    9,613
    Since the comment actually removes code, it makes all the difference. Hashes are supposed to be random enough that changing a single bit of the object will give a totally different hash.

    I don't mean to imply that AVG isn't rubbish. It is, and my personal choice is Microsoft Security Essentials.

  11. #11
    SAMARAS std10093's Avatar
    Join Date
    Jan 2011
    Location
    Nice, France
    Posts
    2,694
    Hashes are indeed supposed to be random enough that changing a single bit of the object will give a totally different hash.But if he commends another line i guess no virus threat would have appeared(if so i [U]guess[U] that he would have state it so far).I can not understand why this particular line causes the problem and not another line. :/

  12. #12
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    How do you explain the fact that the "Trojan horse Agent3.BLKR" is appearing only when he makes the line a comment?
    I can not understand why this particular line causes the problem and not another line.
    If the hash matches within some error threshhold as determined by AVG's internal algorithms then it will flag it. Often there is a threshhold value or fudge factor figured in since an exact hash could never account for various flavors of the virus. In fact someone could add a 1 line comment and the hash would change enough not to flag it. However it does appear that AVG is attempting an exact hash match due to the behavior of AVG with respect to the source code contents.

    But in the end if AVG's internal algos say the hash matches....AVG will flag it as a virus and display the name of the virus based on the hash.

  13. #13
    Registered User
    Join Date
    Dec 2006
    Location
    Canada
    Posts
    3,229
    If the hash matches within some error threshhold as determined by AVG's internal algorithms then it will flag it.
    There are hashing algorithms that will hash similar inputs to similar outputs?

  14. #14
    Registered User
    Join Date
    Oct 2006
    Posts
    3,445
    Quote Originally Posted by cyberfish View Post
    There are hashing algorithms that will hash similar inputs to similar outputs?
    I'm not aware of any, but that doesn't mean they can't do a "fuzzy compare" on the hashing algorithm they use.

  15. #15
    SAMARAS std10093's Avatar
    Join Date
    Jan 2011
    Location
    Nice, France
    Posts
    2,694
    Quote Originally Posted by VirtualAce View Post
    If the hash matches within some error threshhold as determined by AVG's internal algorithms then it will flag it. Often there is a threshhold value or fudge factor figured in since an exact hash could never account for various flavors of the virus. In fact someone could add a 1 line comment and the hash would change enough not to flag it. However it does appear that AVG is attempting an exact hash match due to the behavior of AVG with respect to the source code contents.

    But in the end if AVG's internal algos say the hash matches....AVG will flag it as a virus and display the name of the virus based on the hash.
    Thank you Ace

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. create and populate create bidimensional array
    By darkducke in forum C Programming
    Replies: 0
    Last Post: 12-03-2010, 07:06 AM
  2. What is a virus
    By Suchy in forum A Brief History of Cprogramming.com
    Replies: 17
    Last Post: 04-26-2008, 07:22 AM
  3. Accidentally Compiled a .c file over itself....
    By John_L in forum C Programming
    Replies: 8
    Last Post: 09-23-2007, 02:18 PM
  4. How do strings get accidentally get modified
    By cdalten in forum C Programming
    Replies: 7
    Last Post: 01-15-2006, 10:28 AM
  5. Accidentally changing class members??
    By JaWiB in forum C++ Programming
    Replies: 3
    Last Post: 11-01-2003, 01:42 AM