Wacatac.B!ml plays peek-a-boo

mkupper

Yesterday I downloaded npp v8.7 from https://notepad-plus-plus.org/downloads/v8.7/

Today I was wondering why there was a black flag in the lower-right corner of my Windows 11 desktop and so finally clicked. It was a notification from Microsoft’s Windows Defender:

Threat quarantined
Rating	Severe
09/17/2024 23:20
Detected:	Trojan:Script/Wacatac.B!ml
Status:		Quarantined
Date:		9/17/2024 11:20 PM
Details:	This program is dangerous and executes commands from an attacker.
Affected items:
file: C:\npp\npp.8.7.RTM.portable.7z
file: C:\npp\npp.8.7.RTM.portable.minimalist.7z

(When I download files I rename them to insert RC# or RTM in the file name so that I know if it’s a release candidate or a production release)

I restored both files from the quarantine, expanded both of them to folders, and ran the Microsoft Defender scan on both folders. They are clean.

I then ran the Microsoft Defender on the original downloads, they are clean, copied the downloads to another folder, they are clean.

I downloaded a new set of files from https://notepad-plus-plus.org/downloads/v8.7/ to a folder and they are clean and identical to the files I had downloaded yesterday…

Whatever it was, Wacatac.B!ml apparently is harmless. It’s apparently a piece of code that tends to show up in viruses and so appearances of that code snippet get flagged even though the code itself is harmless. For more details see the post by Rob Koch on https://answers.microsoft.com/en-us/windows/forum/all/overly-eager-heuristics-for-trojanwin32wacatacbml/6f2a72f3-3978-48ac-9fb7-fbe82c686ae3

Wacatac has shown up a couple of times on this forum, mainly to annoy @Coises