Click here to Skip to main content
14,667,289 members
Articles » General Programming » Bugs & Workarounds » General
Posted 6 Apr 2010

Tagged as


45 bookmarked

The Case of Evil WinMain

Rate this:
4.84 (56 votes)
Please Sign up or sign in to vote.
4.84 (56 votes)
1 Jun 2014CPOL
Story about how two thirds of all Antivirus programs gone crazy for no obvious reason

Source of this image on vtotal                                                  Next day it got worse 



#include <windows.h>

int WINAPI WinMain(HINSTANCE inst,HINSTANCE prev,LPSTR cmd,int show) {
    return 0;






One day I noticed in forum of one of my articles strange post from one scared codeproject
member that my sample is blocked from execution by Norton AV and moved to quarantine.
"Hmm that's strange" I said myself.
So I took the sample and posted it to to see what is going on. Now is one excelent site wich will scan your binary by all possible uptodate Antivirus software and give you back an report about what each av thinks about the file.
And Indeed. The report I got really contained an virus detected by symantec as "suspicious-insight".


Later I found on the web that symantec is using cloud based scanner technology called "Insight". And that this cloud based scanner is driven mainly by heuristics. So I thought

"Ok clearly some part of my code was considered by him as suspicious"

I started building exe with (around 30 lines of code) from this mine article
virustotal result: virus "suspicious-insight".

Let's remove half of the code.
virustotal result: virus "suspicious-insight".

"Hmm strange"

Let's remove remaining half of the code so only empty winmain is left.

virustotal result: virus "suspicious-insight".
BUT now also 9 from 38 AV (as you can see on firs image of article) were now screaming things like "Trojan Downloader"

After 2 years its 26 from 42 reporting it as trojan so things definitly got worse.
thats like 2/3 of av  now

"Hmm. What ? Trojan Downloader ? Where did this come from? Wasn't removing all code supposed to remove suspicius in the first place?" 

Good news is that symantec no longer reports it as  "suspicious-insight" 
Bad news is that now it reports it as  "Backdoor.Trojan"

After 2 years  nothing changed 
 still  "Backdoor.Trojan" for symantec  

So what caused 2 thirds of AV vendors to go NUTS ?

I am starting to feel that they simply started to search for malware in libc itself.  If so than that's kinda strange coz there is not that many versions of libc linked to nearly everything under the sun over and over.

Here is the mentioned VS 2008 ProjectFile + source + resulting binary not doing anything along with vtotal results for it.

But please go ahead create EMPTY c++ project to see it yourself.
Add cpp file with this empty winmain doing nothing build release

I found that following switches were making my poor old dsp different from default VS2008 project settings.

Use static libc                                          ( Multi-threaded (/MT) or any other static lib switch)
Disable Whole Program Optimization         ( set to No )
Disable Generate Debug Info                    ( set to No )
Set Randomized Base Address to Default   ( set it to default ) 

And watch that havoc on ;D.

Now those switches were in my project file loong time ago and what they cause is pure coincidence that materialized by poor fella in my forum and started it all . So only god knows what other switch combinations will make  all AV go even more crazy.

Which is kinda suspicious ;D and it seems like all Delphi guys are recently suspicious too. 

Solution ? 

Well. The question now is not what should we remove from sample code but what junk should we add to samples to not be suspicious and blocked by AV that is so paranoid that it would probably treat even it's own binaries as suspicious ;D. 
I am also interested in feedback from you guys.
How much of your small samples/programs are treated like "suspicious-insight" or alike. Just throw it on vtotal.
Anyway. I will append list of Ideas to solve issues like this here as I will find them
along with ideas from forum or av companies if any will react. 

Virustotal history: File size: 20009 bytes

MD5   : c516b5f8e194c0f00994178c7db9b717
SHA1  : b187b95bd95ca157e4b75039c19ab1dbd571160a  -> insert  unix timestamp number  mentioned bellow <- /  

1270576549 2010.04.06 17:55:49  9/39 (23.08%)

Aappend unix timestamp number starting each of lines with dates to url above to get working link. Later I stopped sending exe in zip due to some av not catching anything in zip so here is non ziped file history

-[non zipped exe]-----------------------------------------------------------------------------------------

EmptyWinmainFalsePos.exe File size: 37888 bytes

MD5   : 92ccffff01d936f577b17028387dba62
SHA1  : 14c055acf4c8ee62e849affdd601375d613b792d -> insert  unix timestamp number  mentioned bellow <- / 

1270576274 2010.04.06 17:51:14 10/39 (25.64%)
1270658787 2010.04.07 16:46:27 15/39 (38.46%)
1270668484 2010.04.07 19:28:04 14/39 (35.90%)
1271059131 2010.04.12 07:58:51 17/39 (43.59%)
1271417958 2010.04.16 11:39:18 20/40 (50.00%)
1272215218 2010.04.25 17:06:58 17/39 (43.59%)
1272534527 2010.04.29 09:48:47 19/39 (48.72%)
1273146379 2010.05.06 11:46:19 20/41 (48.78%)
1273946647 2010.05.15 18:04:07 19/41 (46.35%)
1282724966 2010.08.25 08:29:26 23/42 (54.80%)
1346440377 2012.08.31 19:12:57 26/42 (61.90%)

Update 2014.06.01:
1401646480 2014.06.01 18:14:40 36/53 (67.92%)



This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Ladislav Nevery
Software Developer (Senior)
Slovakia Slovakia
Past Projects:
[]Mobile network software: HLR-Inovation for (Corba)
Medical software: CorRea module for CT scanner
[]Computer Games:XboxLive/net code for Conan, Knights of the temple II, GeneTroopers, CivilWar, Soldier of fortune II
[]Computer Games:XboxLive/net code for Elveon game based on Unreal Engine 3
ESET Reasearch.
Looking for job

Comments and Discussions

GeneralMy vote of 1 Pin
Paul_Williams10-Jun-14 6:52
MemberPaul_Williams10-Jun-14 6:52 
QuestionYou're correct Pin
Manikandan103-Jun-14 3:11
professionalManikandan103-Jun-14 3:11 
QuestionSolution Pin
Michael Haephrati5-Mar-13 11:30
mvaMichael Haephrati5-Mar-13 11:30 
AnswerRe: Solution Pin
Ladislav Nevery5-Mar-13 12:49
MemberLadislav Nevery5-Mar-13 12:49 
GeneralMy vote of 5 Pin
Michael Haephrati5-Mar-13 1:31
mvaMichael Haephrati5-Mar-13 1:31 
GeneralMy vote of 2 Pin
Corvus Corax20-Oct-12 18:21
MemberCorvus Corax20-Oct-12 18:21 
GeneralRe: My vote of 2 Pin
Jamesmeng19-Jan-16 14:11
MemberJamesmeng19-Jan-16 14:11 
GeneralMy vote of 4 Pin
Christian Amado2-Sep-12 5:11
professionalChristian Amado2-Sep-12 5:11 
GeneralImage file looks ok Pin
marc ochsenmeier31-Aug-10 6:27
Membermarc ochsenmeier31-Aug-10 6:27 
GeneralNot bad: only 6 of 42 today on virustotal [modified] Pin
alexkiri17-May-10 20:37
Memberalexkiri17-May-10 20:37 
GeneralRe: Not bad: only 6 of 42 today on virustotal Pin
Ladislav Nevery25-May-10 3:39
MemberLadislav Nevery25-May-10 3:39 
GeneralRe: Not bad: only 6 of 42 today on virustotal [modified] Pin
Cristian Amarie6-Apr-12 12:05
MemberCristian Amarie6-Apr-12 12:05 
GeneralIt reminds me of.... Pin
edwig17-May-10 19:42
Memberedwig17-May-10 19:42 
GeneralFiles checked are different Pin
owillebo13-May-10 23:34
Memberowillebo13-May-10 23:34 
GeneralRe: Files checked are different Pin
Ladislav Nevery15-May-10 1:39
MemberLadislav Nevery15-May-10 1:39 
Questionwhat if your computer has a virus Pin
Gevorg13-May-10 18:06
MemberGevorg13-May-10 18:06 
AnswerRe: what if your computer has a virus Pin
Ladislav Nevery15-May-10 1:29
MemberLadislav Nevery15-May-10 1:29 
AnswerRe: what if your computer has a virus Pin
xliqz15-May-10 9:09
Memberxliqz15-May-10 9:09 
GeneralHmmm.... Pin
Tomas Brennan13-May-10 14:42
MemberTomas Brennan13-May-10 14:42 
QuestionEntry points? Pin
xawari1-May-10 8:46
Memberxawari1-May-10 8:46 
GeneralSignature Pin
swarup25-Apr-10 9:24
Memberswarup25-Apr-10 9:24 
GeneralRe: Signature Pin
mavric21228-Aug-11 16:31
Membermavric21228-Aug-11 16:31 
Generaleven worse now lol Pin
Druuler11-Apr-10 8:22
MemberDruuler11-Apr-10 8:22 
GeneralRe: even worse now lol Pin
Ladislav Nevery16-Apr-10 7:36
MemberLadislav Nevery16-Apr-10 7:36 
GeneralSymantec is known for false positives Pin
stringtheory_x8-Apr-10 22:05
Memberstringtheory_x8-Apr-10 22:05 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.