Sunday, April 29, 2012

Never knew Downloader.Agent2.BBLD was so simple

I had just started writing a new C++ console app (under Visual Studio 2010  10.0.40219.1 SP1Rel) to test something out, and had just this:

#include <stdio.h>
#include <Windows.h>

int main(int argc, char** argv)
{
  return 0;
}

I unintentionally clicked Start Debugging, and much to my surprise,



Really? How did I screw up something so simple? Several seconds later AVG popped up this "Resident Shield Alert":

Downloader.Agent2.BBLD

Are you kidding me?  So I added a printf...

int main(int argc, char** argv)
{
    printf("WTF is going on\n");
  return 0;
}


Again, threat detected! This time Downloader.Agent2.BAZE.  I disabled AVG, built it again (successfully!) and threw the EXE into IDA, worried that I had some impressive virus injecting a trojan into EXEs I build.  Nothing out of the ordinary found, just the typical complicated CRT startup code, and my simple main().

I uploaded it to VirusTotal to see if this was just AVG being retarded or what. It had a detection ratio of 8 / 42. Check out that link to see each AV and what they detected it as.  It is important to note that AVG picked up the file before it had even finished building (hence the link error) with Resident Shield, but also the finished EXE with a manual scan.

"This is absurd!" I'm thinking. One more try....


int main(int argc, char** argv)
{
    printf("WTF is going on\n");
    getchar();
    printf("This is ridiculous\n");
    return 0;
}


Finally, this one built okay and AVG let it alone.  Curious, I uploaded this one to VirusTotal too. It was picked up by only 1 / 42 AVs:   McAfee-GW-Edition identified it as Heuristic.BehavesLike.Win32.Suspicious.H. Sounds more like Heuristic.WeHaveNoIdea.FlagEverything.H

3 comments:

  1. Strange, I did the SAME thing, but just a blank method with no return 0; statement and I got the AVG warning.

    Good job lads....

    ReplyDelete
  2. I should mention that using std::cout to output text to the command prompt is more of a hit or miss, sometimes it does, sometimes it doesn't.

    ReplyDelete
  3. re: "just a blank method with no return 0; statement"
    The function, which returns 'int' defaults to a return value of 0 if you don't specify. This is confirmed by the presence of "xor eax,eax" in the assembler listing (.cod file), even with no "return 0". So essentially we were seeing the same thing.

    ReplyDelete