Trojan horse

[sasurfman]

So, I assembled and linked the very first do nothing program in Iczelion's tutorial 2 and then ran the exe.  AVG Free fired off on it and reported Trojan horse Back Door.Poison Ivy.N. Here is the whole program:

.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
.data
.code
start:
invoke  ExitProcess,0
end start

I scanned the \masm32 directory and got no hits with avg.  I also scanned every copy of kernel32.dll (4) and got no hits with avg, so why am I getting a hit on the assembled exe?  Needless to say, this doesn't give me a warm fuzzy.

[MichaelW]

If your system is not otherwise infected, I would say that you are getting a false positive.

[sasurfman]

In the tutorial, Iczelion says his file size of the exe is 1,536 bytes.  My file size is 12,288 bytes.  Quite a bit of difference there.

[MichaelW]

On my system the exe, built with the included batch file, is 2560 bytes. How did you build yours?

[hutch--]

Builds directly from the masm32 editor at 2k.

Make sure your own system is not infected with a virus but it sounds like a false positive, something that the trashy end of AV scanners do regularly.

Code Select Expand


    .386
    .model flat, stdcall
    option casemap:none

    include \masm32\include\windows.inc
    include \masm32\include\kernel32.inc
    includelib \masm32\lib\kernel32.lib

    .data

    .code

    start:
    invoke  ExitProcess,0

    end start


[sinsi]

heh, I just built Hutch's code and AVG gave me the same trojan warning, and I damned well know that it ain't. Them's the breaks...

[sasurfman]

I built mine just as the tutorial stated. 
ml /c /coff /Cp msgbox.asm
link /subsystem:windows /libpath:c:\masm32\lib msgbox.obj

I'm running xp home on this laptop.

I might add that I went on to the next listing and added the code to show the message box.  After assembling and linking AVG did not fire on this version.  The exe is 16 KB.

[jj2007]

If your file size is well above the expected value, then it's not a false positive. Try to disassemble the exe...

[sinsi]

Replacing "invoke ExitProcess,0" with "ret" (exe is 1024 bytes) passes AVG's test.

I think it has to do with the number of imports...there are quite a few posts here about false positives.

[jj2007]

It is difficult to bloat an "invoke ExitProcess, 0" to the extra 10k that he produced. Disassemble the exe, and I am sure there will be nice surprises.

[sasurfman]

I found the problem with the file size.  I was using link ver 6.00.8447.  When I used link ver 5.12.8078 the file size came down to 2,560 bytes for the version that outputs a messagebox. I don't know why link ver 6.00.8447 increases the file size, but it does. I have VC 6++ installed on this pc.

[jj2007]

Still, a linker that produces 10k extra and a virus warning might have a little problem.

[hutch--]

If you want to keep using the VC6 linker, set the file alignment to 512 bytes.

[sasurfman]

If you want to keep using the VC6 linker, set the file alignment to 512 bytes.

Will that resolve the file size difference?  I'm not how to set the alignment, but I think the directive is: .align page
Is that correct?

[hutch--]

link /?