Mysterious IDP.SEP.Wannacry in UnHackMe is a false positive!
UnHackMe users have previously reported their Avast/AVG antivirus claiming UnHackMe HackMon.exe was infected by IDP.SEP.Wannacry1. Obviously, that is not true, so I launched the investigation to understand what causes Avast/AVG to wrongfully flag UnHackMe.
Wannacry virus, is it still active?
Wannacry virus is dead since 2017. Then how do Avast/AVG antiviruses detect it in 2020? I filed a report about the false positive case to the AVG support center, but the submission window always showed an error. I registered on the support forum and created a post about the problem.They fixed the submission form after ten days. After one month, they reported that the False Positive was fixed too. However, while that was a success, the new UnHackMe versions still got flagged as dangerous. I reported the false positive again and got a reply that the problem was fixed.But the issue is still here after one year!
I started my investigation.
I checked "Hackmon.exe" on a Virustotal service. It was clean. AVG and Avast are part of one company and use the same antivirus databases. I installed Avast antivirus on a virtual machine and tested with standard settings. There were no problems with HackMon or other UnHackMe components.Then, I changed the settings to high sensitivity.After that, Avast begins to check every executed file with an additional window: "Suspicious file."And I got the screen with IDP.SEP.Wannacry after executing the Hackmon.exe process!I analyzed the source code and disabled all parts that may be suspicious for antivirus. Finally, after spending a lot of time, I found the source of the problem.It was one line of code:CreateMutex(NULL, TRUE, "Global\\MsWinZonesCacheCounterMutexW");What is this mutex's purpose?It was added into the Hackmon in 2017 to prevent Wannacry infection!It is the simple "kill-switch" to defend against Wannacry ransomware.The virus checks for the presence of the mutex and exits if the mutex exists.Details:https://www.wannacry.be/National Cryptological Center, CCN created the similar software for protection against Wannacry:https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhNDBut Avast/AVG antivirus monitors for creating the mutex and identifies the program as a threat only by this event. Seems like it is not enough for a good virus scanner!I created a simple test application with only one function: creating the mutex. Avast detected it as IDP.SEP.WANNACRY1! Be careful with viruses! And be even more careful with antiviruses!