First, let me make clear when I said:
Suspicious, don't you think?
I was being facetious. I didn't believe it suspicious, but a its just the sort of thing that a fledgling AV heuristic might erroneously find suspicious.
And I doubt any of them would have been so sophisticated that they could know that the program only popped up a window. More likely, they just weren't very good.
More likely both sophisticated (or trying to be) AND not very good.
Why? Because unsophisticated AV relies only on matching exact signatures, i.e. strings of bytecode, against known threats. It couldn't get much simpler.
Sure a developer *could* mess this up, but in your case there were two programs that reported it. Moreover, as you admit yourself, the code consisted of little more than stock MS libraries that would be present on 90% of all target machines, as well as the test machines of the the developers tested.
Also, for the last 10 years, AV programs even cheap ones, have had rudimentary heuristics built-in.
Are they sophisticated enough to know your program just puts up a blank window, with no input, and the code dead ends? This is what Symantec says about heuristics in general:
...the dynamic heuristic scanner uses CPU emulation to gather its information. After some initial sanity checks, the dynamic heuristic scanner loads the suspect executable file into a virtual computer and emulates its execution. The program being emulated has no idea it is running inside of a simulated computer; it believes it’s running on a real system. As the program runs within the virtual computer, it exhibits behaviors that are cataloged by the dynamic scanner.
The problem with this approach is that virus writers know about heuristics, so they intentionally write code that tries to obscure what it normally does, usually by not activating anything hinky unless it knows it's really 'in the Wild'. Instead it just acts like a simple program doing nothing.
Like your real program does.
Also, btw, this Trojan.agent.ply of Jon's is also a heuristic match. You can tell by the description. If it were an exact signature match it would tell you the full description of the "known" virus.
Instead, it is just telling us that there is a behavior that looks suspicious. But it's just a guess.