Trojan with Sony Walkman Media Go file. Malware?

[heyou]

On Feb. 5, I purchased a Sony NWZE385 Walkman MP3/Video Player and installed the required software. My previous Sony Walkman had no such software. It was your basic plug-and-play device; you just plugged it in and transferred files, much like a memory stick. But now Sony has developed a number of add-ons, I guess to make the Walkman more like an Ipod, and so before you can operate the Walkman you have to go through an extensive automatic download/installation process ... without knowing if you need any or all of it. One of the downloaded applications is called Media Go.

 

On Feb. 7, 14 and 21, I ran Malwarebytes scans on my computer, as well as ClamWin antivirus and Microsoft Security Essentials. No malware or viruses were detected.

 

On Feb. 28, I ran Malwarebytes and Microsoft Security Essentials, and as before nothing odd came up. However, while running a ClamWin virus scan, it located the following Trojan associated with Sony's Media Go software: C:\Program Files\Sony Media Go Install\Net20\kor\langpack.exe: Win.Trojan.Agent-848388 FOUND. After removing the Trojan I uninstalled all of the Sony Walkman software and deleted any related files still left on my computer. Since then all ClamWin scans (as well as Malwarebytes and Microsoft Security Essentials) have come up clean.

 

I contacted Sony to try to find out how a virus ended up in software associated with the Walkman software installation. They insist there's no way I could have picked up a Trojan via software downloads from Sony websites. However, I wonder if it is possible to pick up Trojans via automatic downloads? It happened to me last November, when I'm pretty sure I picked up a Trojan via an automatic Flash Player update. (I ended up with the unwanted Ask Toolbar and immediately started getting Trojan and virus alerts. I have since switched to manual Flash Player updates; I go to the Adobe website and check for updated versions, then install them as needed.) It was at this point that I installed Malwarebytes (free version), which did initially find and quarantine the following malware: PUP.Optional.DownloadSponsor. I have been running weekly Malwarebytes scans ever since.

 

The Sony attendant I spoke with on the phone claimed that I still could have malware on my computer, which is lurking in the background and waiting until certain software coding pops up and activates the Trojan, which then attaches itself to that particular file. If that's the case, then why isn't Malwarebytes spotting it? Or did the attendant just feed me a line to try to deflect blame away from Sony? (Who, after all, does not have the greatest track record when it comes to security.)

[David H. Lipman]

"PUP.Optional" is not a malware detection.  It stands for Potentially Unwanted Programs.  It has a lot to do with software that comes bundled with crapware.

 

Take the file langpack.exe  from  C:\Program Files\Sony Media Go Install\Net20\kor\langpack.exe   and submit it to Virus Total.  This will check the file ahainst several dozen anti malware solution scanners.

 

Chances are HIGH that this [ Win.Trojan.Agent-848388 ] is/was a False Positive declaration and if you don't speak Korean then you can safely delete that file.

[heyou]

David, thanks for the explanation about PUP.Optional. I guess I assumed that since Malwarebytes detected it, it was considered malware. Live and learn!

 

As I noted in my first post, after this Trojan was detected in the Sony Media Go file, I uninstalled all of the Sony Walkman software and deleted any related files. So that file is no longer on my computer. I have Virus Total bookmarked, but I didn't think to run the file there before deleting it. Doing a search for that filename, they don't have it listed. I guess I can try reinstalling all the software to see what happens. Not sure I want to, though.

 

Usually, when ClamWin spots what it considers to be a false positive, it is identified as such. But that didn't happen this time around.

 

I admit that I laughed when I saw kor in the file. Wasn't Korea implicated in this most recent Sony hack scandal?

[David H. Lipman]

You can't do searches for a file name.  Any file can be named anything and malware will often hide in plain site by using the name of a legitimate file.  What counts is context.  You describe a condition [ On Feb. 5, I purchased a Sony NWZE385 Walkman MP3/Video Player and installed the required software ] and a fully qualified location;  C:\Program Files\Sony Media Go Install\Net20\kor\langpack.exe   That is context.  That information lowers the propensity of it being malicious and moves into into the realm of a False Positive declaration.

 

That was North Korea and while they may be the puppet master in the hack attack, chances are that is was done through an agent country such as China.  However I can see the coincidence factor. 

 

You can re-install the Sony software.

[heyou]

Sorry, you mean that in the Virus Total search field I would type all of that information? That seems like a lot of info to cram into a search field ... but I will give it a try. Thanks!

[David H. Lipman]

No.  That's not what I meant at all and I am sorry for any confusion.

 

I am attempting to point out that doing a Google search on a file name is pointless because any file can be named anything.  I am trying to relate that the name isn't a significant factor but the context of a file is.  In this case, your case, the file location and the time period it has existed on your computer.

 

Virus Total is for submitting the file in question.  Virus Total has dozens of anti malware scanners.  They don't care about the file name, they care about the contents.

 

We submit to Virus Total to see if the detection, so noted, is abnormal and discern other information.

[heyou]

OK, thanks for the clarification. Since I hadn't discussed doing other types of searches (Google or otherwise), that's where my confusion lay.

 

Since I have deleted all the Sony files from my computer, I decided to try plugging in my Walkman and then using Virus Total to scan the Media Go file. (It's not that specific file, but rather MediaGo.xml.) No viruses were detected.

 

I haven't reinstalled the Sony software. I'm not sure I really want to go there. It's not just because of the Trojan detection, regardless of whether it's a false positive, but also because it's basically a whole lotta stuff I just don't need. I don't need access to the Sony store, or the various and sundry other "advantages" they feel go along with the software. Maybe it's an improvement for other folks, but for me it was a step back. I just want a device I can use to listen to music. That's all.

[David H. Lipman]

We are ONLY interested in langpack.exe  and submitting it to Virus Total.  It was the file that was flagged.

 

As I wrote earlier, you may reinstall the Sony software.  Then you will have the file below again to submit.

 

C:\Program Files\Sony Media Go Install\Net20\kor\langpack.exe

 

EDIT:

 

Once the file is submitted to Virus Total it will have a specific URL associated with it.  Once you have that Virus Total Report URL, post it so I can look at it.

Edited March 13, 2015 by David H. Lipman

[heyou]

When I plug in the Walkman, now it's not giving me the prompt to download software. Maybe I'll try downloading it directly from the Sony website, and go from there. Thanks!

[heyou]

Well, sadly that download was an exercise in futility. The langpack.exe file does not show up in the Sony Media Go Install folder. However, there also is neither a Net20 nor a kor file folder there, either. Remember that the Trojan detection did not turn up until three weeks after I purchased the Walkman, and I'd been doing weekly scans prior to that. I still wonder if this might have been produced in an automatic update. So maybe I will have to wait a few weeks and see what, if anything, turns up.

[David H. Lipman]

Did you actually install the Walkman software ?

 

Do you have a "C:\Program Files\Sony Media Go Install\"    folder ?

[heyou]

No, as I noted before, the auto-install prompt window that opened when I initially plugged in my brand-new Walkman is not showing up now (maybe because I already installed it once before). So I went online and installed Sony's Media Go software, since that was where the Trojan was detected. But now that particular Net20\kor\langpack.exe file extension is not showing up. I went to Sony's eSupport page for the Sony NWZE385 Walkman, and the only download I see is the Media Go software ... which I have already downloaded. Not sure what else I can do here.

[David H. Lipman]

Nope, not more to do here.  The inclination is that of a False Positive and since the software is removed then there really is no issue.

[heyou]

Thanks! In response to your earlier question, I should have clarified that there is a Sony Media Go Install folder in Program Files, as there was before. However, in that folder there is no Net20\kor\langpack.exe. I even did a search just for langpack.exe, but couldn't find anything.

 

I'll leave the Media Go software installed for now. If anything odd materializes, I will report it here.

[David H. Lipman]

OK,

 

I am going to request this thread be closed.  If there is an issue, please contact a MODERATOR to have the thread re-opened.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!