Avast says my program is a virus (wtf)

General Topics
1

Hi. I have made a program in VB6, and its not the first time when some one post a reply, after I publish my program, that it has a virus:

Sign of “Win32:VB-FB[Wrm]” has been found in “Cstick out tonguerogramsMgamers toolsUpdate.$$A” file.

This program only download files from the internet, thats it. So, why Avast thinks its a virus?

2

Maybe you ought to send it in to Alwil for evaluation.
Have you checked it with any other non residentAV programs ?

(wtf)
that's an abreviation not appreciated on this forum. Thanks
3

Hi ownzuall,

You should indeed check it at jotti if other scanners flag it as well. Else it is a FP.
A way that normal code is changed into malware could be like this:
It seems that all of the elements of a decent virus for MVS are included
with the operating system.

Consider the simple “head patch” approach, where a CSECT is linked in
and marked as the main, or default CSECT to execute. That can be done
using the linker/binder with a few simple commands. If the virus is
smart enough, it can look at the original default CSECT and save that at
a well known offset in its infecting CSECT.

Our original module might look like this:

Name XMPL0001
RSECT DFHEI1 main
CSECT SOMECODE
CSECT SOMEMORE
CSECT EVENMORE

The virus would need to inspect this module to determine that DFHEI1
was the default CSECT – then it would have to insert a call to that
section in its own malsect. Then it simply invokes the linker to
include itself.

The infected section looks like:

Name XMPL0001
RSECT DFHEI1
CSECT SOMECODE
CSECT SOMEMORE
CSECT EVENMORE
CSECT malware main

Nothing that a few hours with the IDENTIFY macro and the manual for the
linker (SMS utilities I think) can’t accomplish.

So the question becomes how do you get access to the load modules. I
think the easiest approach would be to just look at the current STEPLIB.
It seems a reasonable assumption that if you can read from it, you can
write to it.

Iterate through each member and apply the process above.

A little knowledge of RACF and ACF2 would go a long way toward making it
a better virus. When the virus code was executed, it could inspect the
rules for update access to loadlibs – then select PDSs that qualify
using the ICF facility.

This is just one of possible scenarios,

polonus