Mysterious IDP.SEP.Wannacry in UnHackMe is a false positive!
UnHackMe users have previously reported their Avast/AVG antivirus claiming UnHackMe HackMon.exe was infected by IDP.SEP.Wannacry1. Obviously, that is not true, so I launched the investigation to understand what causes Avast/AVG to wrongfully flag UnHackMe.
Wannacry virus, is it still active?
Wannacry virus is dead since 2017.
Then how do Avast/AVG antiviruses detect it in 2020?
I filed a report about the false positive case to the AVG support center, but the submission window always showed an error.
I registered on the support forum and created a post about the problem.They fixed the submission form after ten days. After one month, they reported that the False Positive was fixed too.
However, while that was a success, the new UnHackMe versions still got flagged as dangerous.
I reported the false positive again and got a reply that the problem was fixed.But the issue is still here after one year!
I started my investigation.
I checked "Hackmon.exe" on a Virustotal service. It was clean.
AVG and Avast are part of one company and use the same antivirus databases.
I installed Avast antivirus on a virtual machine and tested with standard settings. There were no problems with HackMon or other UnHackMe components.Then, I changed the settings to high sensitivity.After that, Avast begins to check every executed file with an additional window: "Suspicious file."And I got the screen with IDP.SEP.Wannacry after executing the Hackmon.exe process!I analyzed the source code and disabled all parts that may be suspicious for antivirus. Finally, after spending a lot of time, I found the source of the problem.It was one line of code:CreateMutex(NULL, TRUE, "Global\\MsWinZonesCacheCounterMutexW");What is this mutex's purpose?It was added into the Hackmon in 2017 to prevent Wannacry infection!It is the simple "kill-switch" to defend against Wannacry ransomware.The virus checks for the presence of the mutex and exits if the mutex exists.Details:https://www.wannacry.be/National Cryptological Center, CCN created the similar software for protection against Wannacry:https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhNDBut Avast/AVG antivirus monitors for creating the mutex and identifies the program as a threat only by this event. Seems like it is not enough for a good virus scanner!I created a simple test application with only one function: creating the mutex. Avast detected it as IDP.SEP.WANNACRY1!
Be careful with viruses!
And be even more careful with antiviruses!
I registered on the support forum and created a post about the problem.
They fixed the submission form after ten days.
After one month, they reported that the False Positive was fixed too.
However, while that was a success, the new UnHackMe versions still got flagged as dangerous.
I reported the false positive again and got a reply that the problem was fixed.
But the issue is still here after one year!
After that, Avast begins to check every executed file with an additional window: "Suspicious file."
And I got the screen with IDP.SEP.Wannacry after executing the Hackmon.exe process!
I analyzed the source code and disabled all parts that may be suspicious for antivirus. Finally, after spending a lot of time, I found the source of the problem.
It was one line of code:
CreateMutex(NULL, TRUE, "Global\\MsWinZonesCacheCounterMutexW");
What is this mutex's purpose?
It was added into the Hackmon in 2017 to prevent Wannacry infection!
It is the simple "kill-switch" to defend against Wannacry ransomware.
The virus checks for the presence of the mutex and exits if the mutex exists.
Details:
https://www.wannacry.be/
National Cryptological Center, CCN created the similar software for protection against Wannacry:
https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND
But Avast/AVG antivirus monitors for creating the mutex and identifies the program as a threat only by this event.
Seems like it is not enough for a good virus scanner!
I created a simple test application with only one function: creating the mutex.
Avast detected it as IDP.SEP.WANNACRY1!
Be careful with viruses!
And be even more careful with antiviruses!
