Share via

Why is my new executable being flagged as the trojan type Wacatac:B!ml?

Melted (casual computer user) 0 Reputation points
2026-06-20T18:33:09.15+00:00

I made a new executable through CPP source code and compiled it with an app icon, and made it play music as well, then decided to analyze it with VirusTotal. But 4 SECURITY VENDORS flagged it as a trojan, INCLUDING MICROSOFT. Please remove the WACATAC label on this, Microsoft AIs. The C++ source code is as following:

#include <windows.h>
#include <vector>
#include <cstdlib>
#include <ctime>
#include <string>
#include <mmsystem.h>
#include <shlobj.h>

#pragma comment(lib, "winmm.lib")
#pragma comment(lib, "shell32.lib")

struct Particle {
    float x, y;
    float vx, vy;
    float alpha;
    COLORREF color;
};

std::vector<Particle> particles;

int W = 800, H = 600;

HBITMAP hBitmap = NULL;
HDC hdcMem = NULL;

std::wstring GetDownloadsPath() {
    PWSTR path = NULL;
    std::wstring result;

    if (SUCCEEDED(SHGetKnownFolderPath(FOLDERID_Downloads, 0, NULL, &path))) {
        result = path;
        CoTaskMemFree(path);
    }

    return result;
}

void StartMusic() {
    std::wstring downloads = GetDownloadsPath();
    std::wstring mp3 = downloads + L"\\nyan.mp3";

    std::wstring cmd = L"open \"" + mp3 + L"\" type mpegvideo alias bgm";
    mciSendStringW(cmd.c_str(), NULL, 0, NULL);
    mciSendStringW(L"play bgm repeat", NULL, 0, NULL);
}

void StopMusic() {
    mciSendStringW(L"stop bgm", NULL, 0, NULL);
    mciSendStringW(L"close bgm", NULL, 0, NULL);
}

void ResizeBuffer(HWND hwnd) {
    if (hdcMem) DeleteDC(hdcMem);
    if (hBitmap) DeleteObject(hBitmap);

    HDC hdc = GetDC(hwnd);
    RECT r;
    GetClientRect(hwnd, &r);

    W = r.right;
    H = r.bottom;

    hdcMem = CreateCompatibleDC(hdc);
    hBitmap = CreateCompatibleBitmap(hdc, W, H);
    SelectObject(hdcMem, hBitmap);

    ReleaseDC(hwnd, hdc);
}

void Spawn() {
    Particle p;
    p.x = rand() % W;
    p.y = rand() % H;
    p.vx = (rand() % 100 - 50) / 10.0f;
    p.vy = (rand() % 100 - 50) / 10.0f;
    p.alpha = 255;
    p.color = RGB(rand() % 255, rand() % 255, rand() % 255);
    particles.push_back(p);
}

void Update() {
    HBRUSH bg = CreateSolidBrush(RGB(0, 0, 0));
    RECT r = { 0,0,W,H };
    FillRect(hdcMem, &r, bg);
    DeleteObject(bg);

    for (size_t i = 0; i < particles.size();) {
        auto &p = particles[i];

        p.x += p.vx;
        p.y += p.vy;
        p.alpha -= 2;

        if (p.alpha <= 0) {
            particles.erase(particles.begin() + i);
            continue;
        }

        SetPixel(hdcMem, (int)p.x, (int)p.y, p.color);
        i++;
    }
}

void Render(HWND hwnd) {
    PAINTSTRUCT ps;
    HDC hdc = BeginPaint(hwnd, &ps);

    BitBlt(hdc, 0, 0, W, H, hdcMem, 0, 0, SRCCOPY);

    EndPaint(hwnd, &ps);
}

LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
    switch (msg) {

    case WM_CREATE:
        ResizeBuffer(hwnd);
        SetTimer(hwnd, 1, 16, NULL);
        StartMusic();
        return 0;

    case WM_SIZE:
        ResizeBuffer(hwnd);
        return 0;

    case WM_TIMER:
        Spawn();
        Spawn();
        Spawn();

        Update();
        InvalidateRect(hwnd, NULL, FALSE);
        return 0;

    case WM_PAINT:
        Render(hwnd);
        return 0;

    case WM_DESTROY:
        KillTimer(hwnd, 1);
        StopMusic();
        PostQuitMessage(0);
        return 0;
    }

    return DefWindowProc(hwnd, msg, wParam, lParam);
}

int WINAPI WinMain(HINSTANCE hInst, HINSTANCE, LPSTR, int) {
    srand((unsigned)time(0));

    WNDCLASS wc = {};
    wc.lpfnWndProc = WndProc;
    wc.hInstance = hInst;
    wc.lpszClassName = "iPhoneAnniversaryWindow";

    RegisterClass(&wc);

    HWND hwnd = CreateWindowEx(
        0,
        "iPhoneAnniversaryWindow",
        "iPhone Anniversary",
        WS_OVERLAPPEDWINDOW,
        CW_USEDEFAULT, CW_USEDEFAULT,
        900, 700,
        NULL, NULL,
        hInst, NULL
    );

    ShowWindow(hwnd, SW_SHOW);

    MSG msg;
    while (GetMessage(&msg, NULL, 0, 0)) {
        TranslateMessage(&msg);
        DispatchMessage(&msg);
    }

    return 0;
}
Developer technologies | C++
Developer technologies | C++

A high-level, general-purpose programming language, created as an extension of the C programming language, that has object-oriented, generic, and functional features in addition to facilities for low-level memory manipulation.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Taki Ly (WICLOUD CORPORATION) 2,225 Reputation points Microsoft External Staff Moderator
    2026-06-22T04:10:26.0733333+00:00

    Hello @Melted (casual computer user) ,

    Thank you for reaching out and sharing your code snippet.

    The Wacatac.B!ml detection includes the !ml suffix, which stands for "Machine Learning." This means Windows Defender’s AI flagged the file based on its behavior and structure, not because it contains actual malware.

    While your code is innocent, heuristic scanners often flag it because:

    1. Unsigned: Newly compiled executables lack a Code Signing Certificate, granting them zero reputation.
    2. Behavior: Blindly accessing the user's Downloads folder using SHGetKnownFolderPath and silently opening a media file via mciSendStringW mimics common trojan behaviors.
    3. Entropy: Adding custom icons can alter the binary's footprint, making cloud scanners (like VirusTotal) highly sensitive.

    Below are a few ways to resolve this:

    1. Submit a False Positive Report

    The best fix is to submit your .exe to the Microsoft Security Intelligence portal. Select "Software Developer" and "Incorrectly detected." The team will analyze it and update the AI models. (See Developer FAQ).

    2. Add a Folder Exclusion

    While developing, add your project folder to Defender’s exclusion list so it doesn't delete your file during builds. (Guide: Add an exclusion to Windows Security).

    3. Use Windows Resources

    Instead of accessing the Downloads folder, embed the .mp3 and icon directly inside your .exe using a Windows Resource (.rc) file. Playing media directly from memory is considered much safer by AI scanners.

    4. Code Signing

    If you plan to publicly share the app, obtaining a Code Signing Certificate is highly recommended to build developer reputation and bypass AI checks. (See SmartScreen Overview).

    I hope this clarifies why the AI systems reacted to your project and provides you with the right path forward! Let me know if you have any additional questions. If you found my response helpful or informative, I would greatly appreciate it if you could follow this guide for your confirmation.

    Thank you.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.