Komodo Edit Ranbyus trojan

Hi Sorry if this is the wrong section but I just installed Komodo Edit on Windows and Windows defender came up saying it had found trojan ranbyus in the Komodo Edit files. Just thought you should know.

1 Like

Some more info:
TrojanSpy: Win32/Ranbyus
In C:\Program Files (x86)\ActiveState Komodo Edit 9\lib\mozilla\python\komodo\krypt\hash\MD4.pyd
and also windows\installers\23de369.msi>media.cab>core.file._lib_mozilla_python_komodo_Crypto_Hash_MD4.pyd

Yeah, I got it too. Microsoft Security Essentials caught it on W7 and Windows Defender on W10.

file:C:\Program Files\ActiveState Komodo Edit 9\lib\mozilla\python\komodo\Crypto\Hash\MD4.pyd

It looks serious enough to raise a big red flag.

There are no viruses in Komodo, its funny that windows thinks that a hash algorithm is a virus. Anyway that should be fixed.

thats good to know. thanks for the response!

We actually have systems in place to ensure we don’t ship with false positives like this, not sure why this slipped through. @careyh can you look into this?

To clarify: we do NOT ship with any sort of virus or trojan, this is a false positive.

OK. So, with that MD4.pyd file gone (both Defender and MSE zapped it) , are there any side effects to be expected? Or should I re-install?

Yes it will likely break in certain places. For now you should simply whitelist the file until we are able to provide a fix.

What version of windows are you using by the way?

@foxharry @cheshiredesigner,

First confirm that the download you got matches the MD5SUMS we provide with the Komodo installers. If they match then please report this as a false positive to Windows Defender. There isn’t anything we can do about it on our end.

  • Carey

I’m running it on one old W7 and on one more recent W10 machine.

Unfortunately I have allowed the file to be removed in both cases, so whitelisting is not an option at this point.

If the manure hits the fan I guess I’ll just reinstall in one place and copy the file over to the other, unless you can provide me with a copy of MD4.pyd.

Thanks for your quick response!

You can always re-download or re-install, you should still be able to whitelist.

Please also check your MD% sums as per @careyh’s post. Also, could you tell us where you obtained your copy of Komodo from?

There isn’t anything we can do about it on our end.

That may get you some annoyed user feedback.

I have always downloaded Komodo from the komodoide site. The issue only arose after an automatic update. I wouldn’t know how to checksum-check those.

Fair enough but there really isn’t anything we can do other than what we’ve already done which is scan releases before they are shipped and generate and provide MD5SUMS on those checked files (so you can confirm they are the same file we provided).

If the virus scanner heuristics decide that a binary file matches some pattern that they are scanning for then all we can do it alert them do they’re mistake. Since we can’t reproduce the issue, we need you to report it as safe since you’ve confirmed with us (as you should) that it is. I’m not passing the buck. I’m just letting you know that there isn’t actually anything we can do. I’m DEFINITELY not saying that YOU have don’t anything wrong by telling us, that is for certain :blush:.

Automatic update bits are generated and check-summed at build time and will fail if those checksums are wrong so you can rest assured that you have the files we intended you to have.

  • Carey

@cheshiredesigner, can you confirm how you got onto the effected release? Was it auto-update as well?

  • Carey

Hi again. I’m not blaming anyone here. As a software developer all I’m saying is: “if this happens to me, why shouldn’t it happen to everybody else?”. And that is something to worry about.

Anyway, I found a Komodo-Edit-9.3.0-16396.msi in my download directory that I must have downloaded manually on November 4. It gave me no problems. I vaguely remember Komodo (version before that) saying that I should download it manually because an update could not be done. I have seen that before, so I was not surprised or worried.

That was v9.3.0. A few days ago Komodo Edit (w10) told me that an upgrade 9.3.1 was available, and I let it run the show. Windows defender cut in after installation had completed.

Right now I just did a clean install of Komodo Edit on yet another W10 laptop. This version was downloaded this morning from ‘http://komodoide.com/download/edit-win32/#’.

The MD5 checksum matches.

WIndows Defender here, too, finds the MD4.pyd to be a problem.

@foxharry,

Thanks for doing the followup of downloading and checking the checksums.

I downloaded the installer again, updated my Windows Defender and I do now get a warning from Windows Defender.

I’ve checked previous builds and newer builds. Non of those builds set off Windows Defender. The source for those files is the same but are compiled at build time so they vary when checked with md5sum. Frustratingly (hey that is a word!) enough, that one build seems to have somehow triggered Windows Defender.

If you could try reporting the issues as a false positive from your PC we would appreciate that. I will be doing the same here.

We’re already planning to do a release soon so this will be resolved then.

Apologies for this hassle!

  • Carey

Hi, Sorry for not responding sooner. I downloaded it form the Komodo website as a full new install, not an update. I’ve also let windows defender remove the file (currently not had anything break since doing that) but will redownload tonight and white list it.
Windows 8.1 here.

1 Like

Done!

Frustratingly, a post must be at least 10 chars long. :wink:

Thanks for helping out!

1 Like