Win32/Znyonm Trojan

[Sulhir]

Update - I did find this issue https://github.com/bcssov/IronyModManager/issues/501 but it was for a generic Trojan and this one is not. Antivirus claims Installer version: win-x64-setup.zip is the Win32/Znyonm Trojan.

To Reproduce Steps to reproduce the behavior:

1. Download and run win-x64-setup.zip [https://github.com/bcssov/IronyModManager/releases/tag/v1.26.173](Latest stable version: v1.26.173) or attempt to update an existing Irony Mod Manager to v1.26.173
2. Antivirus flags file as a Trojan, threat severe https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FZnyonm&threatid=2147890445
3. Workaround is to install [https://github.com/bcssov/IronyModManager/releases/tag/v1.26.167](Latest stable version: v1.26.167) instead and ignore the update.

Expected behavior Antivirus would not detect any suspected malware or there would be an official response from the dev-team or anyone online confirming a false positive or even a productive online discussion anywhere about this

Screenshots

Logs

2024-04-24 09:16:45.2867 Version: 1.26.167+4f49ae9fcb
OS Description: Microsoft Windows 10.0.19045
Runtime Identifier: win-x64
 NetSparkleUpdater.NetSparkleException: Downloaded file has invalid signature!

Version:

• OS: Windows 10 Home 22H2 build 19045.4291
• Irony Version v1.26.173

Additional context [https://www.reddit.com/r/Stellaris/comments/1cbldx3/irony_mod_manager_win32znyonm_trojan/](Reddit Post)

[bcssov]

Just recently it was flagged by BitDefender, and it has since been whitelisted: https://github.com/bcssov/IronyModManager/issues/501

Nature of Mod Managers is that due to their nature they tend to be false flagged. Yes, this is a false positive as long as you download from this site only.

Last time I checked all these were "detected" by 4-5 different vendors since when they've been whitelisted.

https://www.virustotal.com/gui/file/01bbd7488cc7c4d1139b9d06e3f33c18d70efc998c5776a68cb5d8a28f9e4309 https://www.virustotal.com/gui/file/c0811d55ea38f22f4eefb171468f71482840eab36fe293a91cc4a5814bb5c7d0 https://www.virustotal.com/gui/file/67ef624aa2b864cd2b1eda0077b1ec6e3cabffeaaa67b057b59b1b92e801dc92

As I mentioned in the previous ticket I don't have time to run around hundreds of different AV vendors to whitelist it. I mean it's not the first blunder of an AV vendor to mess up, just a few exmples:

https://www.techrepublic.com/article/how-to-stop-windows-defender-from-mistaking-legitimate-files-for-trojans/ https://malwaretips.com/blogs/windows-security-detecting-google-chrome-as-virus/ https://forums.malwarebytes.com/topic/10881-avg-virus-scanner-accidentally-removes-critical-windows-component/

Feel free to submit the file to Microsoft to analyze they'll whitelist it eventually in the meantime if you don't trust me. Use older version or use something else.

[Sulhir]

Oh, that's good. I do know the tendency of mod managers to get flagged but I've also heard of people's GitHubs getting compromised to push malicious updates. I appreciate you reaching out to let me know. I thought it was odd that only the .exe flagged the antivirus and not the other repos but I'd never used Irony before so wanted to double check.

[bcssov]

Think about it logically, it's been released a ~month ago and over 8k people already downloaded it. The AV is flagging the setup.exe? I'm using inno setup installer and AVs tend to false flag programs using it: https://stackoverflow.com/questions/67573833/windows-defender-detects-my-own-inno-setup-as-virus https://stackoverflow.com/questions/50992901/inno-setup-virus

It's used by thousands of developers and unfortunately by malware authors too. And finally, no my account has not been compromised.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.