Malwarebytes gives trojan warning for basic C# "Hello World!" program

Asked 8/4, 2014 at 2:13 Answered 24/6, 2017 at 1:18

Basically, I just ran a scan of my computer with Malwarebytes (updated the definitions before running), and it said my "helloworld" program written in C# has a trojan.

I know for a fact this is a false positive, as I only wrote the program 2-3 days ago and followed a small tutorial website to make the program that I trust. I am new to C#, but I can't see anything that would give a trojan warning at all.

Malwarebytes report

The program flags the executable, but not the source file.

using System;

namespace HelloWorldApplication
{
    class HelloWorld
    {
        static void Main(string[] args)
        {
            Console.WriteLine("\n\tHello World!");
            Console.WriteLine("This is my first C# program.\nI'm so proud of myself!");
            Console.WriteLine("\tTeehee!");
        }
    }
}

This is the code, written in Notepad++, and it is run from the command-line (Cygwin, actually). Why does it flags this? Is it something that, as a budding C# programmer, I should know about?

Jowl answered 8/4, 2014 at 2:13 Comment(9)

I should add, none of the other C# source files or executables in the same folder are flagged. – Jowl 8/4, 2014 at 2:18

Did you download a code example from a website? Could be code is executing that you don't realize is executing via custom build steps or references to dlls in the bin folder etc . I don't see anything there that would relate to a virus signature. – Tellurian 8/4, 2014 at 2:24

No, I wrote it myself, as well as the other programs. I took it from tutorialpoint.com. – Jowl 8/4, 2014 at 2:35

unrelated, but the image in this post was blocked by sophos with a malware warning – Eachelle 8/4, 2014 at 9:37

I had the same discovery as @Eachelle – Jacobinism 8/4, 2014 at 18:38

@Eachelle I edited the post to fix this. ;) – Gaol 8/4, 2014 at 20:50

Also, even though it's not likely in this scenario, it's worth observing that just because your source code doesn't contain bad code doesn't mean your executable doesn't: scienceblogs.com/goodmath/2007/04/15/… – Dedication 8/4, 2014 at 21:37

Try scanning this file at virustotal.com to find if other also detects something with this. – Archeozoic 9/4, 2014 at 2:0

In my thesis work, I use around 14 antiviruses to test more than 2500 malwares and found Malwarebytes is very poor antivirus. Here is slides - Slide-32 for comparison graph – Leoine 9/4, 2014 at 7:16

133

The problem could be that the Backdoor.MSIL.PGen Trojan is typically called 'hello.exe'. The name of your executable is presumably 'hello.exe' or 'helloworld.exe'.

Just rename your project or change the output executable to something not containing 'hello', and it should stop detecting it.

This answer is somewhat speculative, but given the name of your project, and a history of over-aggressive detection of this malware (see here), it seems a reasonable stab.

Jeneejenei answered 8/4, 2014 at 2:19 Comment(9)

That is some cruddy Anti-Virus software there. – Sinegold 8/4, 2014 at 2:20

I'm amazed that a piece of software as high profile as MalwareBytes would flag a false positive based solely on filename – Leventhal 8/4, 2014 at 2:23

@BradThomas: Well, I'm not sure this is the reason, but given the name of the project above, it's a major smoking gun... :) There's also a history of MalwareBytes overzealously detecting this trojan: forums.malwarebytes.org/index.php?showtopic=135095 – Jeneejenei 8/4, 2014 at 2:25

You were right... It was the name. XP. I find that pretty stupid, tbh. Changed it to a different name an it didn't flag it. Thank you! – Jowl 8/4, 2014 at 2:39

@Baldrick: That was an error, my bad! I accidentally closed the tab than reopened it and clicked the unmarked check again. I checked it again. :) – Jowl 8/4, 2014 at 2:42

I would guess that the heuristic is (a) contains MSIL code (the kind of bytecode produced by the C# compiler), (b) is named "hello.exe". One of those by itself isn't enough. – Biliary 8/4, 2014 at 4:42

@ColeJohnson: Looks like maybe the fix wasn't too great.. didn't cover this case anyway! :) – Jeneejenei 8/4, 2014 at 5:18

@Biliary That is still one cruddy test. – Sinegold 8/4, 2014 at 17:35

Try using SMTP to send an email and scan it on virustotal, you might find something interesting. – Postaxial 8/4, 2014 at 22:23

The answer by Baldrick is likely correct, but there is also another possibility: There are viruses which search for random executables on the system and modify them by inserting their own code into them (this is, in fact, the original definition of "computer virus"). When you find that an executable which you know is trustworthy suddenly is reported as infected, you might be dealing with such a virus.

But unless your virus scanner reports other executables as the same virus, this is unlikely.

Slippery answered 8/4, 2014 at 16:23 Comment(4)

I wish he had posted the executable. I would be rather amused if someone decompiled it and found that it does contain a virus. – Reynaud 8/4, 2014 at 19:20

@Reynaud If he had posted it, I would have called him out for knowingly publishing a potentially malicious executable. – Slippery 8/4, 2014 at 19:40

@Reynaud And that is why Philipp said "a potentially malicious executable." – Hackery 8/4, 2014 at 20:36

@TheGuywithTheHat Fair enough. I still think it is safe to post it along with a warning. – Reynaud 8/4, 2014 at 20:43

I just figured this out: change the "Guid" in AssemblyInfo.cs a little, then try again.

That worked for me.

Seftton answered 24/6, 2017 at 1:18 Comment(0)

Recommended topics

Hot tags