85

Basically, I just ran a scan of my computer with Malwarebytes (updated the definitions before running), and it said my "helloworld" program written in C# has a trojan.

I know for a fact this is a false positive, as I only wrote the program 2-3 days ago and followed a small tutorial website to make the program that I trust. I am new to C#, but I can't see anything that would give a trojan warning at all.

Malwarebytes report

The program flags the executable, but not the source file.

using System;

namespace HelloWorldApplication
{
    class HelloWorld
    {
        static void Main(string[] args)
        {
            Console.WriteLine("\n\tHello World!");
            Console.WriteLine("This is my first C# program.\nI'm so proud of myself!");
            Console.WriteLine("\tTeehee!");
        }
    }
}

This is the code, written in Notepad++, and it is run from the command-line (Cygwin, actually). Why does it flags this? Is it something that, as a budding C# programmer, I should know about?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Qwurticus
  • 877
  • 1
  • 10
  • 18
  • 1
    I should add, none of the other C# source files or executables in the same folder are flagged. – Qwurticus Apr 08 '14 at 02:18
  • 2
    Did you download a code example from a website? Could be code is executing that you don't realize is executing via custom build steps or references to dlls in the bin folder etc . I don't see anything there that would relate to a virus signature. – BateTech Apr 08 '14 at 02:24
  • No, I wrote it myself, as well as the other programs. I took it from tutorialpoint.com. – Qwurticus Apr 08 '14 at 02:35
  • 13
    unrelated, but the image in this post was blocked by sophos with a malware warning – puser Apr 08 '14 at 09:37
  • 1
    I had the same discovery as @puser – Eman Apr 08 '14 at 18:38
  • 1
    @puser I edited the post to fix this. ;) – tckmn Apr 08 '14 at 20:50
  • 4
    Also, even though it's not likely in this scenario, it's worth observing that just because your source code doesn't contain bad code doesn't mean your executable doesn't: http://scienceblogs.com/goodmath/2007/04/15/strange-loops-dennis-ritchie-a/ – Fabio Beltramini Apr 08 '14 at 21:37
  • 1
    Try scanning this file at http://virustotal.com to find if other also detects something with this. – Dinesh Apr 09 '14 at 02:00
  • 4
    In my thesis work, I use around 14 antiviruses to test more than 2500 malwares and found Malwarebytes is very poor antivirus. [Here is slides](http://www.slideshare.net/GrijeshChauhan/meta-23014090) - Slide-32 for comparison graph – Grijesh Chauhan Apr 09 '14 at 07:16

3 Answers3

132

The problem could be that the Backdoor.MSIL.PGen Trojan is typically called 'hello.exe'. The name of your executable is presumably 'hello.exe' or 'helloworld.exe'.

Just rename your project or change the output executable to something not containing 'hello', and it should stop detecting it.

This answer is somewhat speculative, but given the name of your project, and a history of over-aggressive detection of this malware (see here), it seems a reasonable stab.

Baldrick
  • 11,712
  • 2
  • 31
  • 35
  • 59
    That is some cruddy Anti-Virus software there. – tom.dietrich Apr 08 '14 at 02:20
  • 74
    I'm amazed that a piece of software as high profile as MalwareBytes would flag a false positive based solely on filename – Bradley Thomas Apr 08 '14 at 02:23
  • 14
    @BradThomas: Well, I'm not *sure* this is the reason, but given the name of the project above, it's a major smoking gun... :) There's also a history of MalwareBytes overzealously detecting this trojan: https://forums.malwarebytes.org/index.php?showtopic=135095 – Baldrick Apr 08 '14 at 02:25
  • 23
    You were right... It was the name. XP. I find that pretty stupid, tbh. Changed it to a different name an it didn't flag it. Thank you! – Qwurticus Apr 08 '14 at 02:39
  • 1
    @Baldrick: That was an error, my bad! I accidentally closed the tab than reopened it and clicked the unmarked check again. I checked it again. :) – Qwurticus Apr 08 '14 at 02:42
  • 10
    I would guess that the heuristic is (a) contains MSIL code (the kind of bytecode produced by the C# compiler), (b) is named "hello.exe". One of those by itself isn't enough. – nneonneo Apr 08 '14 at 04:42
  • @ColeJohnson: Looks like maybe the fix wasn't *too* great.. didn't cover this case anyway! :) – Baldrick Apr 08 '14 at 05:18
  • 1
    @nneonneo That is still one cruddy test. – tom.dietrich Apr 08 '14 at 17:35
  • Try using SMTP to send an email and scan it on virustotal, you might find something interesting. – SomeNickName Apr 08 '14 at 22:23
14

The answer by Baldrick is likely correct, but there is also another possibility: There are viruses which search for random executables on the system and modify them by inserting their own code into them (this is, in fact, the original definition of "computer virus"). When you find that an executable which you know is trustworthy suddenly is reported as infected, you might be dealing with such a virus.

But unless your virus scanner reports other executables as the same virus, this is unlikely.

Philipp
  • 67,764
  • 9
  • 118
  • 153
0

I just figured this out: change the "Guid" in AssemblyInfo.cs a little, then try again.

That worked for me.

SuperBerry
  • 1,193
  • 1
  • 12
  • 28