Why some things are detected as "Virus".

Antivirus (I will refer to it by "AV") software checks files by using definitions and heuristics, you have maybe heard of those two terms. Definitions : a "list" of signatures (arrays of bytes) that are present in certain programs. These lists are what you download in AV updates. Heuristics : These are "rules" defined by the AV that tell it what behavior is subspicious. For example, openeing a Winsock connection and then connecting without asking you is flagged as subspicious. With that fairly clear (I hope), lets continue. Now, signatures are generated in forms of array of byte. That means that every file that has these bytes present are flagged as a virus. Example of a Signature : EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ?? 00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00 00 The ? are wildcards (?? resembles 8 bit, 8 bit = 1 byte). They can resmble any byte (00-FF), this is because those are compiler variables and can change depending on how it is compiled. Now, as you can maybe guess, it sometimes happens that AV companies (I hate them seriously) mark certain API calls (API = Application Programming Interface, part of windows on which every program builds up on). As a result , every program using those calls is now flagged as harmful - most AVs sign this behavior by calling the "Virus" something like : CRYPT/xxxxxx HEUR/xxxxx GENERAL/xxxxx W32/xxxxxxx PACKER/xxxxxx Will add more soon.