I have been giving away the results of my hobbies for literally decades, for free, for use by anyone who wants it. As of today, I will no longer be releasing compiled software to the public for free use. I’ll still give away the random scripts, design templates, documents, etc., basically anything that can be presented on-screen in a text format. But no more compiled software.
I recently became aware that SystemIdleCheck, whose main executable is called sic.exe, has been reported as being malware or malicious software. Actually, it’s been reported as a keylogger several times, and technically it is. It’s actually a mouse tracker, too. I’ve up-front about these items, as it is the main advertised functionality of the program, as described and documented. In a nutshell, the program runs in the background and monitors for activity. After a configurable amount of time with no activity from the user, an action is performed. These actions are:
- Log the user off
- Lock the user session
- Shutdown the computer
- Restart the computer
- Do nothing (testing mode)
Check out the page linked above for a full description as to why this program was brought in to being.
The Latest Report
The most recent report I’ve been made aware of is from a company in Dubai called any.run, and damn, the report they give for sic.exe is one of the more ridiculous fictions that I have seen in a while. I may be reading this report wrong, but let me elaborate. According to the report, the following are why SystemIdleCheck is malware:
| Report Artifact | True / False | Comments |
|---|---|---|
| SystemIdleCheck has 46 total processes | False | SystemIdleCheck has one process: sic.exe |
| The program uses Win64 bit architecture | False | It is a Win32 app written in VB6. (trivial, but included here to show how inaccurate the report is) |
| Reads from the registry 12,492 times | False | It reads six items from the registry to get configuration options set by the system administrator |
| Writes to the registry 106 times | False | does not have the capability to write to the registry at all |
| Deletes registry items 24 times | False | does not have the capability to delete items from the registry at all |
| Executes via Task Scheduler via sipnotify.exe | False | there is no task scheduler integration, and does not interact with any other processes |
| Reads internet settings via sipnotify.exe | False | there is no internet or network functionality, and does not interact with any other processes |
| Reads system certificates via sipnotify.exe | False | there is no interaction certs or other auth mechanisms, and does not interact with any other processes |
| Executes as a Windows service, via EOSNotify.exe | False | No, not a service. More of a pseudo service*. And EOSNotify? Really? |
| Checks supported languages | False | User enters configurated string values in their own languages. Sic.exe doesn’t care. |
| Reads the computer name | True | Uses the name of the local computer in Windows Event Logs |
| Manual Execution By User | Maybe | Can be executed manually by any authorized user |
| Reads software policy settings | False | Nope. |
| Reads Security Settings of Internet Explorer | False | Nope. Sic.exe doesn’t use the internet or any networking at all. |
| Has two malicious processes | False | reports PWSH.EXE as a process of this software. THAT’S POWERSHELL, by MICROSOFT. |
| Drops 6 suspicious files** | WTF | Reports Microsoft files as suspicious |
| Two HTTP requests | False | Doesn’t use networking … |
| Ten TCP/UDP Connections | False | Doesn’t use networking … |
| Four DNS Request | False | Doesn’t use networking … |
Notes on Notes
Pseudo Service*
I call this a pseudo service because it is not registered with the service manager, but does run in the background. There is no direct user interaction with software, other than the warning that is configured by the system administrator
Dropping Files**
This report, if I read it correctly, says that SystemIdleCheck drops six malicious files, including binaries, text, html, and image files. However, the files reference pwsh.exe (PowerShell) and SipNotify.exe. PowerShell is, well, PowerShell. SipNotify is a tool distributed by Microsoft to nag users about the end of support for Windows 7. SystemIdleCheck does not interact with either of these processes, nor does it drop any files, anywhere.
Process Interaction
Besides the reported interaction with PowerShell and SipNotify, interactions are also reported to take place with:
- EOSNotify.EXE (Windows 7 End of Service Life Notification nag, by Microsoft)
- wmpnscfg.exe (Windows Media Player new media device notification, by Microsoft)
All I can say is, “What?” SystemIdleCheck does not interact with these processes at all. If you’re still running Windows 7, for which end of support happened on January 14, 2020, that’s on you. I don’t care, and neither does my sofware. If you are still using Windows 7, I would strongly suggest you update to something more current, though.
Take it with a Grain of Salt
Be real aware of who you are believing on the internet. Not everyone knows what they are doing. I’m not claiming to know everything, I’m just a guy that has gotten tired of being accused of trying to hack the planet. This The report that has been presented by any.run is attributing the actions of Microsoft software to my software. More interesting is the fact that sic.exe is not reported as a keylogger, which it technically is. The difference is that it doesn’t record the user inputs. It simply monitors for keypresses or mouse movements to detect idle states. Which is the point of the program. If you want more info on keyloggers, try these pages:
5 Common Phishing Techniques to Watch For
Finally, the End of the Rant
I began tech blogging way back in 2005, and built this site in May, 2007. SystemIdleCheck was first released in September, 2017. Since then, there have been over 96,000 downloads of the package. I’ve helped people from all areas of society to get this app running in their environments. The point of this paragraph is to say, if I was trying to hack your data, I think 7 years since releasing the software would be an extremely slow return on investment. All I’ve done for the last 17 (née 19 years) is to help others with the talent that I have.
So, hey, now that the rant is out of the way, I’m attaching the full VB6 source code for SystemIdleCheck (sic.exe) to this post. Examine it. You’ll see that there is no magic there. I’ve strung together a bunch of functions to fulfill a need. Do what you want with it. Convert it to some language of your choice.