Mysterious IDP.SEP.Wannacry in UnHackMe is a false positive!

UnHackMe users have previously reported their Avast/AVG antivirus claiming UnHackMe HackMon.exe was infected by IDP.SEP.Wannacry1. Obviously, that is not true, so I launched the investigation to understand what causes Avast/AVG to wrongfully flag UnHackMe.

Wannacry virus, is it still active? 

Wannacry virus is dead since 2017. 

Then how do Avast/AVG antiviruses detect it in 2020?

I filed a report about the false positive case to the AVG support center, but the submission window always showed an error.

I registered on the support forum and created a post about the problem.

They fixed the submission form after ten days. 

After one month, they reported that the False Positive was fixed too.

However, while that was a success, the new UnHackMe versions still got flagged as dangerous.

I reported the false positive again and got a reply that the problem was fixed.

But the issue is still here after one year!

 

I started my investigation.

I checked "Hackmon.exe" on a Virustotal service.

It was clean.

AVG and Avast are part of one company and use the same antivirus databases.

I installed Avast antivirus on a virtual machine and tested with standard settings. There were no problems with HackMon or other UnHackMe components.

Then, I changed the settings to high sensitivity.

After that, Avast begins to check every executed file with an additional window: "Suspicious file."

And I got the screen with IDP.SEP.Wannacry after executing the Hackmon.exe process!

I analyzed the source code and disabled all parts that may be suspicious for antivirus. Finally, after spending a lot of time, I found the source of the problem.

It was one line of code:

 CreateMutex(NULL, TRUE, "Global\\MsWinZonesCacheCounterMutexW");

What is this mutex's purpose?

It was added into the Hackmon in 2017 to prevent Wannacry infection!

It is the simple "kill-switch" to defend against Wannacry ransomware.

The virus checks for the presence of the mutex and exits if the mutex exists.

Details:

https://www.wannacry.be/

National Cryptological Center, CCN created the similar software for protection against Wannacry:

https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND

But Avast/AVG antivirus monitors for creating the mutex and identifies the program as a threat only by this event.

Seems like it is not enough for a good virus scanner!

I created a simple test application with only one function: creating the mutex.

Avast detected it as IDP.SEP.WANNACRY1!

 

Be careful with viruses!

And be even more careful with antiviruses!

Read More

Got Something To Say?

Your email address will not be published. Required fields are marked *