Trojan Skeeyah.H

Answered

Windows defender detects a Trojan in PhpStorm install folder, details below. Is this a false positive or is the installer compromised?

 

Trojan:Win32/Skeeyah.H

containerfile: C:\Program Files\JetBrains\PhpStorm\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

file: C:\ProgramFiles\JetBrains\PhpStorm\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

22 comments
Comment actions Permalink

No similar reports in our support center or at our tracker. So this is a first one. Where did you get the file: from jetbrains.com? Any chance the installation got infected after it's been already installed?

0
Comment actions Permalink

I have the same problem. In my case I'm using Microsoft System Center Endpoint Protection. The trojan is detected in IntelliJ IDEA Ultimate 2017.3.

0
Comment actions Permalink

i downloaded the installer from https://www.jetbrains.com/phpstorm/download/ and I'm pretty confident it was from the installer as Windows picked it up shortly after the install. Windows also located the same Trojan in Clion.

0
Comment actions Permalink

Windows defender just found Skeeyah.H in my WebStorm folder. I got my license and installer from jetbrains for being a full time student using my student email. I don't know what this is, but this Trojan has been detected again after I removed it once.

0
Comment actions Permalink

Please submit this issue at http://youtrack.jetbrains.com/issues/WI#newissue=yes attaching screenshots/information about the issue for our devs to look into.

0
Comment actions Permalink

I am also having the same issue.

0
Comment actions Permalink

I ran into this same problem, couldn't see anyone had reported it on YouTrack, so did so here: 

https://youtrack.jetbrains.com/issue/IDEA-186808

1
Comment actions Permalink

Windows Defender advanced scan also reported a Trojan in my IntelliJ installation.  I do an advanced scan every week so this is new.   

The report was of Win32/Skeeyah.H, but the location was in c:\Program Files\JetBrains\Intellij IDEA 2017.3\plugins\JavaScriptLang\lib\JavaScriptLanguage.jar.  The report says the problem is in file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

Clearly this is a widespread issue.  

It would be good to find out whether this is a false positive or real.  I've left it quarantined for now, but Windows Defender is recommending "Remove threat now".

0
Comment actions Permalink

I checked my portable computer also running IntelliJ, ran NOD32 first, which didn't give a Trojan warning, but Windows Defender (advanced scan) did.  

Both copies of IntelliJ are 2017.3.4 build IU-173.4548.28.

 

0
Comment actions Permalink

Same issue.  Win10, install downloaded from intelliJ.

0
Comment actions Permalink

I just got the same message, using Windows 10 Pro and the latest Windows Defender definitions. Uploaded the file to VirusTotal, no detection there. I've put the file into quarantine for the time being.

https://www.virustotal.com/#/file/df77951ab9806a52a27649f24bd52744083a0da8664bdf85561ef294909dfdc7/detection

C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.3\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

0
Comment actions Permalink

Windows 10 Pro Defender just gave a warning:Trojan:Win32/Skeeyah.H

Affected items:
containerfile: C:\Program Files\JetBrains\WebStorm 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar
file: C:\Program Files\JetBrains\WebStorm 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

 

0
Comment actions Permalink

I also got the same message:

file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar

file: C:\Program Files\JetBrains\IntelliJ IDEA 2017.3.4\plugins\JavaScriptLanguage\lib\JavaScriptLanguage.jar->com/intellij/lang/javascript/inject/JsRegExpMatcherProvider.class

0
Comment actions Permalink

Hello everynyan! 

Glad (?) to know I'm not the only one having this issue. Left my comp to scan overnight and came up with this.

0
Comment actions Permalink

Same here. Can you guys give us any update, please?

0
Comment actions Permalink

Hi Yigit, a JetBrains employee commented on the YouTrack issue yesterday:  https://youtrack.jetbrains.com/issue/IDEA-186808

2
Comment actions Permalink

OK, according to Vladimir Orlov's check-up and conclusions this is a false alarm or hoax by Windows Defender.

It would still be interesting to know what was removed during the file clean-up by the Defender. If some code was truely removed from the, is my IDE now missing something? Should the 'infected file' be reinstalled to avoid future errors?

0
Comment actions Permalink

According to information in the issue, the affected file is JavaScriptLanguage.jar.
If it's still there in your installation - don't bother, it's not likely that Defender corrupts files.

0
Comment actions Permalink

Has JetBrains gotten Microsoft to take the file off the threat list for future scans?

Has JetBrains modified the file so as not to trigger a warning by Microsoft?

And what are we supposed to do? 

1. Nothing (to leave the file in Quarantine)

2.  Click Restore

3.  Click Remove

JetBrains should be providing specific guidance.

 

0
Comment actions Permalink

I restored the file from the Windows Defender quarantine today, and let it scan the IntelliJ directory, no threats found. I guess Microsoft updated the antivirus definitions.

0

Please sign in to leave a comment.