none
False Positive Trojan Sonoko.A!ms in Chrome User Data Cache Files? RRS feed

  • Question

  • Starting today, we've been getting a Trojan alert for cache files in Chrome:

    Malware Name: Trojan:Win32/Sonoko.A!ms

    Number of infections: 12

    Last detection time(UTC time): 12/13/2017 6:12:45 PM

    Location: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00034e

    The Microsoft page of this Trojan doesn't have much info other than it can potentially allow a hacker to perform actions on your PC. 

    https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Sonoko.A!ms&ThreatID=-2147242665



    • Edited by jlee_guard Wednesday, December 13, 2017 9:51 PM
    Wednesday, December 13, 2017 6:42 PM

All replies

  • I am having the exact same issue. Three computers have so far reported this multiple times each. 
    Wednesday, December 13, 2017 6:53 PM
  • Seeing the same thing

    the file can appear under various names but has the md5 e12eeb338db91793038b48871191abb8

    Virus total says only Microsoft detects this file.  Thinking a false positive.

    Wednesday, December 13, 2017 6:54 PM
  • We started to see the same thing this morning, only a small number of users affected so far.  Can't tell if it's a false positive or not.
    Wednesday, December 13, 2017 6:57 PM
  • Same exact story here... Post if you get anymore details. Were are also seeing Win32/Ditertag.B in tandem with each report of Win32/Sonoko.A!ms.
    • Edited by Mrhea Wednesday, December 13, 2017 7:07 PM
    Wednesday, December 13, 2017 7:02 PM
  • Think this is caused by an outbrain ad.

    Can reproduce by visiting this site using chrome:

    https://www.glamour.com/story/betty-cooper-ponytail-riverdale

    Wednesday, December 13, 2017 7:24 PM
  • I am seeing it, too, on a couple of seemingly innocuous sites like latimes.com and businessinsider.com

    Chrome seems to trigger it, but not MSIE or Firefox

    I bet it is related to ad serving...



    • Edited by Dick Dee Wednesday, December 13, 2017 7:30 PM
    Wednesday, December 13, 2017 7:24 PM
  • Hi,

    I'm getting the same with Opera

    Trojan:Win32/Sonoko.A!ms

    file: C:\Users\********\AppData\Local\Opera Software\Opera Stable\Cache\f_0062ef

    Wednesday, December 13, 2017 7:26 PM
  • Just received a Defender notification. Found in Vivaldi browser user cache
    Wednesday, December 13, 2017 7:28 PM
  • Im getting the same issue. It started about an hour ago. No matter how many times i delete it, the message pops right back up.
    Wednesday, December 13, 2017 7:40 PM
  • I'm having this issue as well. Location was C:/Users/Isaac/AppData/Roaming/Twitch/Electron/Cache/f_0008de
    Wednesday, December 13, 2017 7:41 PM
  • Just got this when launching Tidal desktop app for music streaming. Appears on all subsequent launches.

    Info:

    Trojan:Win32/Sonoko.A!ms

    affected items:

    file: C:\Users\********\AppData\Roaming\TIDAL\Cache\f_000e6a


    • Edited by Panxter Wednesday, December 13, 2017 11:55 PM wierd spacing and text size
    Wednesday, December 13, 2017 7:45 PM
  • just started getting this in the last 10 mins.. been on the computer all day nothing until now

    Wednesday, December 13, 2017 7:46 PM
  • I'll open a case and see what comes back.

    Wednesday, December 13, 2017 7:47 PM
  • /AppData/Roaming/Twitch/

    Yep, same location
    Wednesday, December 13, 2017 7:48 PM
  • Was anyone else prompted to do a system update this morning? Maybe there was something in the update causing this issue? 
    Wednesday, December 13, 2017 7:51 PM
  • I'm having this issue as well. Location was C:/Users/Isaac/AppData/Roaming/Twitch/Electron/Cache/f_0008de
    Also had this pop up in Twitch cache as well as Chrome cache.
    Wednesday, December 13, 2017 8:01 PM
  • Yes, got it this morning right after Windows update. file: C:\Users\*****\AppData\Local\Opera Software\Opera Stable\Cache\f_000130

    Windows Defender says it's active and recommends removal yet after a quick scan it says 0 threats detected.

    Wednesday, December 13, 2017 8:03 PM
  •  i was confronted with this today as well.

    can consistently re-create by watching videos on facebook gameroom

    Trojan:Win32/Sonoko.A!ms
    Category:Trojan
    file: C:\Users\User1\AppData\Local\Facebook\Games\cache\Cache\f_000f99

    chrome win10 latest 

    Wednesday, December 13, 2017 8:20 PM
  • Was anyone else prompted to do a system update this morning? Maybe there was something in the update causing this issue? 
    Yes.  I got updated this morning and getting the same warning when going to twitch.tv.  
    Wednesday, December 13, 2017 8:20 PM
  • If you updated windows this morning, this is the bs that they supposedly tried to fix. Its crazy that the fix is just causing more of an issue than actually correcting the error. 

    https://support.microsoft.com/en-us/help/4053580/windows-10-update-kb4053580
    Wednesday, December 13, 2017 8:37 PM
  • same problem, only related to Chrome cache file.

    Almost a day, so what's Microsoft's response?

    Wednesday, December 13, 2017 8:38 PM
  • Same here, only Chrome's cache so far. I did restore one, zip it and send it from the users computer to myself over Office 365. It showed up 5 minutes later as quarantined as the same Trojan.
    Wednesday, December 13, 2017 8:43 PM
  • Same for me, files:

    • \AppData\Local\Google\Chrome\User Data\Default\Cache\f_00e79a
    • \AppData\Local\Google\Chrome\User Data\Default\Cache\f_00016a
    • \AppData\Local\Google\Chrome\User Data\Default\Cache\f_000c09

    Wednesday, December 13, 2017 9:00 PM
  • Got one in Steam's browser cache, using a game site in the overlay browser while in a game.
    Wednesday, December 13, 2017 9:04 PM
  • Also having the same issue, however I'm using Opera browser. There was another post, for a user with Brave browser. Still nothing from MS?

    Wednesday, December 13, 2017 9:20 PM
  • Same with twitch app cache files too, it hit up on a similar named cache file f_000184. VirusTotal shows it is the only one detecting it.

    Had a similar issue a month or so ago with a Firefox cache file, again defender was the only one to trigger a response to it.

    • Edited by Sgt.Mays Wednesday, December 13, 2017 9:36 PM
    Wednesday, December 13, 2017 9:32 PM
  • Not the December updates doing this.  The AV signatures were just updated and include an obviously incorrect signature on this item.

    see the Change log for version 1.257.1463.0

    https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?RequestVersion=1.257.1463.0&Release=Released&Package=AM

    Wednesday, December 13, 2017 9:32 PM
  • I have been getting lots of them all of this morning. 5 of them to be exact.

    I am really freaking out, please help me with any info.

    I have AVG protection and it brought up nothing.

    It was my Microsoft Antivirus that notified me of these severe Trojans.

    I havent been on any sketchy sites, however, the directory for the virus said something about twitch and discord.

    Thanks 

    Lord_Domin8r

    Wednesday, December 13, 2017 10:02 PM
  • > "Still nothing from MS?"

    Have you opened a case? If this is important, then you need to open a case so they know it is important.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, December 13, 2017 10:05 PM
  • I just ran the Microsoft Safety Scanner tool and got an all clear after a full scan. 

    https://www.microsoft.com/en-us/wdsi/products/scanner#


    Wednesday, December 13, 2017 10:05 PM
  • I have this virus on my computer and don’t know what to do to get it off. Suggestions?
    Wednesday, December 13, 2017 10:06 PM
  • anyone know how to remove it?

    and is it dangerous?

    Wednesday, December 13, 2017 10:09 PM
  • It does appear to be a false positive.

    I was able to get this to return a result in IE as well as several hits in chrome that were reported.

    The result in IE was bridge3.186.1_en[1].html

    The file is a part of Googles IMA3 ad API. and the 3.186.1 relates to the latest release of the API on Dec 7th.

    I don't know anything about it really, my Google searches for this did little to help me understand what this file actually is, but the contents are some CSS and a lot of Javascript.

    A debug in IE confirmed it loads from https://imasdk.googleapis.com/js/core/bridge3.186.1_en.html

    I loaded this address directly on a test system and a scan directly against the UserProfile\AppData\local\Microsoft\Windows\Temporary Internet Files\low\Content.IE5 and it found it in a subfolder and marked it as Win32/Sonoko

    I had a system with definition version 1.259.247.0 from earlier in the day and it did not flag this file, it started with definition version 1.259.269.0 as best I can tell and continues to flag the file in version 1.259.272.0.

    I also tested this after going to https://imasdk.googleapis.com/js/core/bridge3.185.2_en.html which pulls down a file for the previous API version and this does not get flagged. The release notes for the Google API simply state"AdErrorEvent.getInnerError() may now return an inner AdError object. This allows checking to see if autoplay failed." 

    There were threat detection updates for 247, but this does not flag the file, since then 257 was updated with detections, but not for this threat.
    Wednesday, December 13, 2017 10:13 PM
  • First post.

    Mine started with an update a couple of days ago. This happens every time there is a large update. So annoying.  I assume there will be ways to fix it listed here when folks find out? 

    Wednesday, December 13, 2017 10:13 PM
  • Ps mine happens in firefox. I do not have Chrome
    Wednesday, December 13, 2017 10:14 PM
  • Same issue popped up in windows defender except my path is as follows: C:/Users/MyUserName/AppData/Local/Microsoft/Windows/INetCache/IE/YX8FFRTE/bridge3.186.1_en[1].htm

    Windows 10 latest build

    Wednesday, December 13, 2017 10:27 PM
  • Total false positive. I've run many scans and all are negative. I just shut off notifications for Windows Defender.
    Wednesday, December 13, 2017 11:22 PM
  • I just got an alert from it being in a firefox cache. Luck i found this thread - i was about to go rampaging on the user :) 

    Malware Name: Trojan:Win32/Sonoko.A!ms

    Number of infections: 1

    Last detection time(UTC time): 12/13/2017 10:29:03 PM

     

    These are the infections of this malware:

    1. Computer name: terminal.xxxxx.com

    Domain: XXXXX

    Detection time(UTC time): 12/13/2017 10:29:03 PM Malware file path: containerfile:_C:\Users\xxxxxt\AppData\Local\Mozilla\Firefox\Profiles\iqhkk5bz.default\cache2\entries\B79663A282657E81688EFDBF6F16ACAF3881E4B4;containerfile:_C:\Users\xxxxx\AppData\Local\Mozilla\Firefox\Profiles\dj1zjc29.default\cache2\entries\B79663A282657E81688EFDBF6F16ACAF3881E4B4;file:_C:\Users\xxxxx\AppData\Local\Mozilla\Firefox\Profiles\iqhkk5bz.default\cache2\entries\B79663A282657E81688EFDBF6F16ACAF3881E4B4->(GZip);file:_C:\Users\xxxxx\AppData\Local\Mozilla\Firefox\Profiles\dj1zjc29.defaul

    Remediation action: NoAction

    Action status: Succeeded

    To view further information about malware activity in your organization, run Malware Details Report.


    Thursday, December 14, 2017 12:43 AM
  • Careful, it has a way of making a comeback.
    Thursday, December 14, 2017 3:03 AM
  • It appears gentlemen this is not an isolated incident. It appears it is happening now matter what browser is being used. I was using IE11 this morning, and I too received the same Trojan message. Ran Windows Defender it claimed to have removed it, but it keeps making a comeback.
    Thursday, December 14, 2017 3:08 AM
  • Same report coming through Opera. Having a good feeling it's just an error given how many people are reporting this. Thanks for the help! :)
    Thursday, December 14, 2017 3:51 AM
  • Looks like Microsoft updated their page for the Trojan

    "NOTE: On December 12, 2017, limited cases of an incorrect detection for this protection was reported and immediately fixed.

    To ensure that this issue is remediated, you can do a forced daily update to download your Microsoft antimalware and antispyware software. The fix has been deployed in signature build 1.259.284.0."

    https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Sonoko.A!ms&ThreatID=-2147242665

    • Proposed as answer by WillyHG Thursday, December 14, 2017 7:25 PM
    • Marked as answer by jlee_guard Friday, December 15, 2017 3:06 PM
    • Unmarked as answer by jlee_guard Friday, December 15, 2017 3:06 PM
    Thursday, December 14, 2017 2:01 PM
  • I do not know about anyone else, but I am still seeing computers with signature build 1.259.298.0 that have reported this as an infection when they should not be (according to Microsofts post linked above).

    I have not seen any since signature build 1.259.308.0, but can anyone else confirm this? I have a security team on edge looking for an answer.

    Thanks!

    Friday, December 15, 2017 3:06 PM
  • I had the exact same thing happen to my computer. it was false, and your anti-spyware or malware systems may need to be updated. I will send you a link to the explanation page: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Sonoko.A!ms
    Monday, December 18, 2017 2:27 AM
  • I saw one as late as 16th December evening.

    Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
     For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sonoko.A!ms&threatid=2147724631&enterprise=1
      Name: Trojan:Win32/Sonoko.A!ms
      ID: 2147724631
      Severity: Severe
      Category: Trojan
      Path: file:_C:\Users\<snipped>\AppData\Local\Google\Chrome\User Data\Default\Cache\f_01b42d
      Detection Origin: Local machine
      Detection Type: Concrete
      Detection Source: System
      User: 
      Process Name: Unknown
      Action: Not Applicable
      Action Status:  No additional actions required
      Error Code: 0x00000000
      Error description: The operation completed successfully. 
      Signature Version: AV: 1.259.452.0, AS: 1.259.452.0, NIS: 118.2.0.0
      Engine Version: AM: 1.1.14405.2, NIS: 2.1.14202.0

    Seems like a false positive as I Only browsed trusted websites (weather.com using chrome ; ad blocking on as well) and an internal intranet site. 


    Regards Ravindran Keshavan


    • Edited by RavindranK Monday, December 18, 2017 11:53 PM
    Monday, December 18, 2017 11:52 PM