Trojan Win32/Znyonm
For the first time in about twenty years, I catch myself a virus infection on my main computer system.
I’ve just spent the last two days reinstalling Windows. Last week, Microsoft Defender found and deleted a file from my system that it classified as the Win32/Znyonm malware, a trojan. There doesn’t seem to be a lot of information on this malware out there. Most mentions of it are people who seem to have gotten various game and program files misidentified as this trojan. I was pretty sure that this wasn’t a false positive though, for two reasons.
- The location and name of the file are extremely suspicious. A folder in my user account
Tempfolder named after a random hash? Including a file calledWindowsBootManager? Looks like the attacker is trying to pass the malware off as a legitimate Windows process. Except that the .EXE for the Windows Boot Manager has no business hanging out in\AppData\Local\Temp, I feel. - Defender deleted this file, but it always came back upon rebooting the machine. That makes it certain that there’s malware somewhere else on the system dropping this file to be executed after a reboot.
Defender found and deleted the trojan and terminated its processes and I didn’t notice any suspicious network traffic, running processes or weird behaviour, but the file always coming back made me sure that there was an attack in progress. Maybe the trojan had dropped a rootkit somewhere that was continuously trying to install its payload?
I did the only thing you can do in these cases, if you’re serious about opsec: I wiped all system drive partitions and reinstalled Windows from scratch. To be on the safe side, I also re-flashed the firmware (UEFI) of my mainboard, in case some part of the malware was hiding there. What can I say, I’m an infosec journalist and things like LogoFAIL have made me quite paranoid.
Speaking of being a journalist writing about information security: This must have been the first malware I caught in nigh on twenty years. If you discount the virtual machines and expendable hardware I usually use for field research. Even though I install an inordinate amount of software for testing purposes, I am usually extremely careful about these things. I had quite a good streak going there, but hey, I’m working in a dangerous field and probably classify as a high-value target, so I’m not surprised it had to end some time.
Details on this Trojan
It surprises me how little info there is to find on this malware. It seems to originate in Russia (which explains the name, I guess) and was apparently first detected around mid-October 2023. Some sources suggest it is somehow connected, or used in conjunction with, Agent Tesla. Its purpose seems to be to steal credentials for online services and banking accounts. It also seems that it is being detected by pretty much every anti-virus solution these days. I have no idea where I could have gotten it from. I keep all the files I download and didn’t find anything suspicious going back a month or two. Sadly, I didn’t have a sample to analyse as Microsoft Defender was very rigorous about deleting this thing every time it popped up.
If you have more information on this malware, please do let me know in the comments below or by emailing me.
Windows 11
I had wanted to re-install Windows for about a year anyway. Things were getting crufty and someone who’s been around the Windows world as long as I have (since Windows 3.1, actually) knows that, no matter what Microsoft’s PR department says, Windows installations always get weird after a year or two. The more software you install, the more weird errors pop up.
I also took the opportunity to upgrade to Windows 11. I haven’t heard a single good reason from anyone why you should do this, to be honest, but I thought I might as well do so when I’m re-installing anyway, if only for the longer security support cycle (Windows 10’s EOL is currently scheduled for 14 October 2025). Since I was pretty vocal about there being no real reason to upgrade and, on the contrary, there actually being reasons against it — like the higher resource usage and system requirements of Windows 11 — a small, nagging voice in the back of my head keeps saying: What if Microsoft sent you this virus as part of a Windows update to make you switch? 
Well, what’s done is done. I guess Windows 11 is okay. The start menu gets weirder and weirder with every new version, though. And the window borders are way to big. The window controls look like they were designed by Playmobil. But I do like the new Windows terminal, especially with the WSL integration, I must say. It looks like Microsoft, after more than forty years, finally managed to come up with a decent terminal solution! And night mode finally works across almost everything. Small victories!
Why did the re-install take two days, you might ask? Well, I have up-to-date backups of everything and could have restored all my apps and settings with one click, but I did not want to do that. One reason is that It felt safer to me to re-download everything from trusted sources. But I also wanted a clean slate. I think it’s very useful to completely wipe your Windows setup like this once in a while. It freshens everything up and gets rid of programs you keep around even though you never use them any more.
Well, it looks like I have shaken the malware for now. Let’s hope I can go another twenty years without something else popping up.