C++ C语言程序被检测为病毒
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2443166/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
C language program is detected as a virus
提问by Sagar R. Kothari
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\nUnion = %d",sizeof(b));
printf("\nStructure = %d",sizeof(c));
getch();
}
I have saved this program as virus.cpp. I am using Turbo C compiler to compile this program and run from Turbo C (Ctrl + F9).
我已将此程序保存为virus.cpp。我正在使用 Turbo C 编译器来编译这个程序并从 Turbo C (Ctrl + F9) 运行。
I am using Windows 7 and I have installed Avira AntiVir virus system.
我使用的是 Windows 7 并且我已经安装了 Avira AntiVir 病毒系统。
When I tried to run above program, it creates a worm (DOS/Candy). I believe there is nothing wrong in program.
当我尝试运行上面的程序时,它会创建一个蠕虫(DOS/Candy)。我相信程序没有任何问题。
Now here is something special. Execute the same program with following difference. Here the only difference is space between \n:
现在这里有一些特别的东西。执行相同的程序,但有以下不同。这里唯一的区别是之间的空间\n:
#include<stdio.h>
#include<conio.h>
union abc
{
int a;
int x;
float g;
};
struct pqr
{
int a;
int x;
float g;
} ;
void main()
{
union abc b;
struct pqr c;
clrscr();
b.a=10;
textbackground(2);
textcolor(6);
cprintf(" A = %d",b.a);
printf("\n Union = %d",sizeof(b));
printf("\n Structure = %d",sizeof(c));
getch();
}
The difference is only \n and space. My question is, why is my simple program is detected as virus?
区别仅在于 \n 和空格。我的问题是,为什么我的简单程序被检测为病毒?
Here is another code sample, this time for C++:
这是另一个代码示例,这次是 C++:
#include<iostream.h>
#include<conio.h>
class A
{
int a,b;
public:
A()
{
a=0;b=0;
}
A(int x)
{a=x;
b=0;
}
A(int x,int y)
{
a=x;
b=y;
}
~A()
{
cout<<"All things are deleted.";
}
void get()
{
cout<<"\nA = "<<a;
cout<<"\nB = "<<b;
}
};
void main()
{
A a1(5,10);
clrscr();
a1.get();
getch();
}
When I run this program it gives "Virus Warning" - Even it is not an virus. Now, the tragedy is when you remove destructors, it won't detect it as virus.
当我运行这个程序时,它会给出“病毒警告”——即使它不是病毒。现在,悲剧是当您删除析构函数时,它不会将其检测为病毒。
Here is the screen shot and similar question:
这是屏幕截图和类似的问题:
C Language - \n - creating virus
The question is how, and why?
问题是如何,为什么?
回答by Alexander Gessler
Virus scanners use heuristics and signatures to detect vulnerabilities. False positives are unavoidable. Your program seems to trigger the heuristic. Presumably its checksum, file size or other characteristics match a known virus. This is seconded by the fact that a small change is sufficient to resolve the problem.
病毒扫描程序使用启发式和签名来检测漏洞。误报是不可避免的。您的程序似乎触发了启发式。据推测,它的校验和、文件大小或其他特征与已知病毒相匹配。其次是一个小的改变就足以解决问题的事实。
EDITCalling your application Virus.exeis a pretty unfortunate choice, and I'd presume it will trigger most virus scanners quickly (although it's certainly not a perfect name for a real virus ...).
编辑调用您的应用程序Virus.exe是一个非常不幸的选择,我认为它会很快触发大多数病毒扫描程序(尽管它肯定不是真正病毒的完美名称......)。
回答by Ben Voigt
Looks like a false-positive. Because modern viruses use polymorphism to hide from anti-virus programs, the anti-virus program has to report even partial matches, and apparently your compiler with the given source code produces a partial match to that malware.
看起来像是假阳性。因为现代病毒使用多态性来躲避反病毒程序,反病毒程序甚至必须报告部分匹配,而且显然您的编译器与给定的源代码会生成与该恶意软件的部分匹配。
回答by fabrizioM
I think you have a real virus somewhere, that perhaps have modified the standard libraries :D Or simply the antivirus detects a pattern in the executable.
我认为您在某处有一个真正的病毒,它可能已经修改了标准库 :D 或者只是防病毒软件在可执行文件中检测到一个模式。
回答by Yktula
See http://www.viruslist.com/en/viruses/encyclopedia?virusid=1857.
请参阅http://www.viruslist.com/en/viruses/encyclopedia?virusid=1857。
My guess is that Antivir scans through text strings that DOS/Candy contains, and since the one in the second piece of code is like the one it's looking for, Antivir detects the compiled executable as a virus.
我的猜测是 Antivir 会扫描 DOS/Candy 包含的文本字符串,并且由于第二段代码中的那个与它正在寻找的那个相似,Antivir 将编译后的可执行文件检测为病毒。
