Mysterious IDP.SEP.Wannacry in UnHackMe is a false positive!
UnHackMe users have previously reported their Avast/AVG antivirus claiming UnHackMe HackMon.exe was infected by IDP.SEP.Wannacry1. Obviously, that is not true, so I launched the investigation to understand what causes Avast/AVG to wrongfully flag UnHackMe.
Wannacry virus, is it still active?
Wannacry virus is dead since 2017. Then how do Avast/AVG antiviruses detect it in 2020? I filed a report about the false positive case to the AVG support center, but the submission window always showed an error. I registered on the support forum and created a post about the problem.They fixed the submission form after ten days. After one month, they reported that the False Positive was fixed too. However, while that was a success, the new UnHackMe versions still got flagged as dangerous. I reported the false positive again and got a reply that the problem was fixed.But the issue is still here after one year!
I started my investigation.
I checked "Hackmon.exe" on a Virustotal service. It was clean. AVG and Avast are part of one company and use the same antivirus databases. I installed Avast antivirus on a virtual machine and tested with standard settings. There were no problems with HackMon or other UnHackMe components.Then, I changed the settings to high sensitivity.After that, Avast begins to check every executed file with an additional window: "Suspicious file."And I got the screen with IDP.SEP.Wannacry after executing the Hackmon.exe process!I analyzed the source code and disabled all parts that may be suspicious for antivirus. Finally, after spending a lot of time, I found the source of the problem.It was one line of code:CreateMutex(NULL, TRUE, "Global\\MsWinZonesCacheCounterMutexW");What is this mutex's purpose?It was added into the Hackmon in 2017 to prevent Wannacry infection!It is the simple "kill-switch" to defend against Wannacry ransomware.The virus checks for the presence of the mutex and exits if the mutex exists.Details:https://www.wannacry.be/National Cryptological Center, CCN created the similar software for protection against Wannacry:https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhNDBut Avast/AVG antivirus monitors for creating the mutex and identifies the program as a threat only by this event. Seems like it is not enough for a good virus scanner!I created a simple test application with only one function: creating the mutex. Avast detected it as IDP.SEP.WANNACRY1! Be careful with viruses! And be even more careful with antiviruses!
I registered on the support forum and created a post about the problem. They fixed the submission form after ten days. 
After one month, they reported that the False Positive was fixed too. 
However, while that was a success, the new UnHackMe versions still got flagged as dangerous. I reported the false positive again and got a reply that the problem was fixed. 
But the issue is still here after one year! 
After that, Avast begins to check every executed file with an additional window: "Suspicious file." And I got the screen with IDP.SEP.Wannacry after executing the Hackmon.exe process! 
I analyzed the source code and disabled all parts that may be suspicious for antivirus. Finally, after spending a lot of time, I found the source of the problem. It was one line of code: CreateMutex(NULL, TRUE, "Global\\MsWinZonesCacheCounterMutexW"); What is this mutex's purpose? It was added into the Hackmon in 2017 to prevent Wannacry infection! It is the simple "kill-switch" to defend against Wannacry ransomware. The virus checks for the presence of the mutex and exits if the mutex exists. Details: https://www.wannacry.be/ National Cryptological Center, CCN created the similar software for protection against Wannacry: https://loreto.ccn-cert.cni.es/index.php/s/tYxMah1T7x7FhND But Avast/AVG antivirus monitors for creating the mutex and identifies the program as a threat only by this event. Seems like it is not enough for a good virus scanner! I created a simple test application with only one function: creating the mutex. Avast detected it as IDP.SEP.WANNACRY1! 
Be careful with viruses! And be even more careful with antiviruses!
Logging you in...
Loading IntenseDebate Comments...