Wednesday, July 13, 2016

WARNING: YouTube 360 Metadata Tool may have Trojan (malware / virus)!

THIS IS NOT A JOKE.  I found a Trojan virus in the link to the YouTube 360 metadata tool!
1. How did you detect it?
2. What kind of malware is it?
3. What is the source of the Trojan?  How did you get the Trojan?
4. Is this a false alarm?
5.  How do you remove it?


Update: There is a thread on github discussing it, found by Jason Fletcher.  According to pwroberts, it is a false positive.  Headline revised.

1. HOW DID YOU DETECT IT?
It was found by Windows Defender (I use Windows 10).  The Trojan is called "Win32/Rundas!plock"  and it was hiding in a file called "Spatial Media Metadata Injector.exe"



2. WHAT KIND OF MALWARE IS IT?
This is not just adware.  It's the real deal - a truly dangerous malware. It allows a hacker to execute commands on your computer.

There are no symptoms.  The only way you'll find out is through an alert from a security software.  See here:







3. WHAT IS THE SOURCE OF THE TROJAN?  HOW DID YOU GET THE TROJAN?
I found the source of the Trojan.  I went to the official YouTube metadata tool download here: https://support.google.com/youtube/answer/6178631?hl=en


I clicked on "Prepare for upload" and clicked on the Windows version to download.  The link went to: < https: //github.com/google/spatial-media/releases/download/v2.0/360.Video.Metadata.Tool .win .zip  >

*note I intentionally did not make the link "live."  Go there at your own risk.



If you expand the zip file you will see a directory with the real YouTube metadata tool, but you will also see the file "Spatial Media Metadata Injector.exe"  See picture below, where I downloaded it again on my phone just to test, and you can see the "Spatial Media Metadata Injector.exe" file at the bottom.



4. IS THIS A FALSE ALARM?
Possibly but these are the facts: Unfortunately, before I got the warning from Windows Defender, I did run the Spatial Media Metadata Injector.exe file last night, and actually I was wondering why when I did, no dialog box came up for selecting my video.  I also tried dragging and dropping my video on the file and nothing apparently happened.  Later, when I looked at the other directory in the zip file, I saw the real metadata injector tool.  When I clicked on the real tool, it gave me the dialog box where I could select my video, and check the box for 360 or 3D.  So that seems to suggest the Spatial Metadata Injector file is indeed malware that is hitchhiking.


A friend who is a developer has commented on Github for Google developers to see.  For now, please do not run the Spatial Metadata Injector file.




Update: There is a thread on github discussing it, found by Jason Fletcher.  According to pwroberts, it is a false positive.

5. HOW DO YOU REMOVE IT?
I tried to remove it with Windows Defender, but it could not seem to remove it.  Possibly because I already sent mine to the Recycle Bin. 

Then this morning I saw the warning from Windows Defender.  I tried to use Windows Defender to remove it automatically but it didn't seem to work.  I then deleted the file manually.  It's still in my recycle bin, which hasn't been emptied, for documenting purposes.  I also did a quick scan, which found nothing.  I thought that would get rid of it, but when I rebooted, I was still getting warnings from Windows Defender.  Except this time when I click on detected files, it shows an empty list.  I'm wondering whether the Trojan possibly created another copy of itself somewhere when I ran the file last night.  I am probably going to reformat my hard drive.  In the meantime, I shut down my laptop so that it can't be accessed and the malware (if it's there) won't run.