The dangerous MailSend – antivirus heuristics fail

Here is a piece of malware according to several antivirus scanners:

class Program
{
  public const string pad =
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" +
    // -- SNIP (in total 25600 Xs) --
    "XXXXXXXXXXXX"; // 50KB

  static void Main(string[] args)
  {
  }
}

Compile with

csc MailSend.cs /target:exe /out:MailSend.exe

The results from virustotal.com:

Turns out that *any* .NET executable with an assembly name of MailSend and larger than 50KB is considered a “Gen:Variant.Ursu.224761” malware (or Trojan.Ursu.D36DF9 for Arcabit which is the odd one out).

Because I’m sure that no one would ever call a legitimate program MailSend… Not as bad as startkeylogger, but you would think that the antivirus vendors had learnt their lesson by now?

Update: Another fun thing is that if the assembly is built using a “new-style” csproj it changes what it is being detected as – now it is suddenly a Gen:Variant.Razy.299166 (or Trojan.Razy.D4909E for Arcabit) instead.