Author Topic: Miranda NG flagged as ransomware by Malwarebytes during update  (Read 251 times)

0 Members and 1 Guest are viewing this topic.

Offline bpsepTopic starter

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
Hi, today after getting a pu_stub.exe popup to update the application, Miranda was flagged and quarantined by Malwarebytes as a ransmoware. Any idea what might have caused it?
 

Offline Vulpix

  • Beta Tester
  • *****
  • Posts: 595
  • Country: 00
  • Karma: 15
Quite strange. I would say it's a false positive but you can check the sha checksums if your miranda64 is the same as the official one (that is, if you use the dev builds

https://www.virustotal.com/#/file/a3193fac1f51e04ff8baed764469f338eabf7e8315074a04a19a8d7d3448f620/detection
 

Offline dartraiden

  • Localization Maintainer
  • *****
  • Posts: 435
  • Country: ru
  • Karma: 15
  • Version Info
Antiviruses "Behavioral Analysis" still very dumb
He does not like that the Miranda requests privileges via pu_stub (otherwise, Miranda running without administrator privileges can not update itself in Program Files) and rewrites some files inside Program Files.
We have nothing to do with this.

You can compile Miranda64.exe with VS2017 (/bin15/mir_full.sln) and check hashes.
_██_
(°ᴗƪ)
 

Offline dartraiden

  • Localization Maintainer
  • *****
  • Posts: 435
  • Country: ru
  • Karma: 15
  • Version Info
you can check the sha checksums if your miranda64 is the same as the official one
Or just check for updates via Plugin Updater. If local file have different checksum (compared to hashes.zip from server), Plugin Updater will regard it as requiring an update.

Stable: https://www.miranda-ng.org/distr/stable/x64/hashes.zip
Dev: https://www.miranda-ng.org/distr/x64/hashes.zip
_██_
(°ᴗƪ)
 

Offline bpsepTopic starter

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
Thanks for all the suggestions, however I couldn't get any of these hashes even on a clean install.

Must have been a weird false positive, because after I removed it from quarantine Malwarebytes didn't flag it second time (nor did virustotal.com).