Trojan Skeeyah.H

Answered

Windows defender detects a Trojan in PhpStorm install folder, details below. Is this a false positive or is the installer compromised?

 

Trojan:Win32/Skeeyah.H

containerfile: C:\Program Files\JetBrains\PhpStorm\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

file: C:\ProgramFiles\JetBrains\PhpStorm\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

4
21 comments

No similar reports in our support center or at our tracker. So this is a first one. Where did you get the file: from jetbrains.com? Any chance the installation got infected after it's been already installed?

0
Avatar
Permanently deleted user

I have the same problem. In my case I'm using Microsoft System Center Endpoint Protection. The trojan is detected in IntelliJ IDEA Ultimate 2017.3.

0
Avatar
Permanently deleted user

i downloaded the installer from https://www.jetbrains.com/phpstorm/download/ and I'm pretty confident it was from the installer as Windows picked it up shortly after the install. Windows also located the same Trojan in Clion.

0
Avatar
Permanently deleted user

Windows defender just found Skeeyah.H in my WebStorm folder. I got my license and installer from jetbrains for being a full time student using my student email. I don't know what this is, but this Trojan has been detected again after I removed it once.

0

Please submit this issue at http://youtrack.jetbrains.com/issues/WI#newissue=yes attaching screenshots/information about the issue for our devs to look into.

0
Avatar
Permanently deleted user

I am also having the same issue.

0

I ran into this same problem, couldn't see anyone had reported it on YouTrack, so did so here: 

https://youtrack.jetbrains.com/issue/IDEA-186808

1
Avatar
Permanently deleted user

Windows Defender advanced scan also reported a Trojan in my IntelliJ installation.  I do an advanced scan every week so this is new.   

The report was of Win32/Skeeyah.H, but the location was in c:\Program Files\JetBrains\Intellij IDEA 2017.3\plugins\JavaScriptLang\lib\JavaScriptLanguage.jar.  The report says the problem is in file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

Clearly this is a widespread issue.  

It would be good to find out whether this is a false positive or real.  I've left it quarantined for now, but Windows Defender is recommending "Remove threat now".

0
Avatar
Permanently deleted user

I checked my portable computer also running IntelliJ, ran NOD32 first, which didn't give a Trojan warning, but Windows Defender (advanced scan) did.  

Both copies of IntelliJ are 2017.3.4 build IU-173.4548.28.

 

0

Same issue.  Win10, install downloaded from intelliJ.

0
Avatar
Permanently deleted user

I just got the same message, using Windows 10 Pro and the latest Windows Defender definitions. Uploaded the file to VirusTotal, no detection there. I've put the file into quarantine for the time being.

https://www.virustotal.com/#/file/df77951ab9806a52a27649f24bd52744083a0da8664bdf85561ef294909dfdc7/detection

C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.3\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

0

Windows 10 Pro Defender just gave a warning:Trojan:Win32/Skeeyah.H

Affected items:
containerfile: C:\Program Files\JetBrains\WebStorm 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar
file: C:\Program Files\JetBrains\WebStorm 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

 

0
Avatar
Permanently deleted user

I also got the same message:

file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

0
Avatar
Permanently deleted user

Same here. Can you guys give us any update, please?

0

Hi Yigit, a JetBrains employee commented on the YouTrack issue yesterday:  https://youtrack.jetbrains.com/issue/IDEA-186808

2

OK, according to Vladimir Orlov's check-up and conclusions this is a false alarm or hoax by Windows Defender.

It would still be interesting to know what was removed during the file clean-up by the Defender. If some code was truely removed from the, is my IDE now missing something? Should the 'infected file' be reinstalled to avoid future errors?

0

According to information in the issue, the affected file is JavaScriptLanguage.jar.
If it's still there in your installation - don't bother, it's not likely that Defender corrupts files.

0
Avatar
Permanently deleted user

Has JetBrains gotten Microsoft to take the file off the threat list for future scans?

Has JetBrains modified the file so as not to trigger a warning by Microsoft?

And what are we supposed to do? 

1. Nothing (to leave the file in Quarantine)

2.  Click Restore

3.  Click Remove

JetBrains should be providing specific guidance.

 

0
Avatar
Permanently deleted user

I restored the file from the Windows Defender quarantine today, and let it scan the IntelliJ directory, no threats found. I guess Microsoft updated the antivirus definitions.

0

Please sign in to leave a comment.