The following lines were added (+) and removed (-):
The Sony rootkit is on many music titles now as a copy protection scheme. Sony’s DRM rootkit doesn’t stop the music CD from playing on standard consumer electronics CD players, but when you go to play it on your computer the DRM rootkit automatically installs itself. When played on a Microsoft Windows PC, Sony’s DRM system forces you to play the music though their special software, which secretly installs the rootkit, just like a virus. The Sony rootkit (aka ARIES Rootkit, XCP technology) is on many music titles now as a copy protection scheme. Sony’s DRM rootkit doesn’t stop the music CD from playing on standard consumer electronics CD players, but when you go to play it on your computer the DRM rootkit automatically installs itself. When played on a Microsoft Windows PC, Sony’s DRM system forces you to play the music though their special software, which secretly installs the rootkit, just like a virus. An interesting part of the rootkit is the $sys$DRMServer service created by its installation. This pseudo system service is not a true service and does not respond to the 'NET STOP' commando. Once the part of the DRM rootkit that hides the files from you is disabled, you will be able to see a $sys$filesystem directory in the system32 path under c:\windows which will contain the pseudo service along with other embedded files.== Fallout ==[[Image:wiki-boycottsonybmgdrmrootkit.gif]]The Sony DRM rootkit resulted in massive boycotts of Sony and BMG, legal action, and a recall of the music media containing the malware / virus. In 2005 Sony BMG has struck a deal with the plaintiffs in a class action lawsuit over copy-restriction software it used in music CDs. The record label has agreed to compensate buyers of CDs that contained the rootkit virus. Sony stated it will immediately recall all DRM rootkit (XCP) CDs and replace them with ones that are virus free. It has also agreed to offer incentives to U.S. customers to "ensure that XCP CDs are promptly removed from the market." Sony is not recalling MediaMax CDs, but has agreed to compensate buyers of these albums by allowing them to download one free album, as well as offering them MP3 versions of the music on the MediaMax album. According to the EFF (Electronic Frontier Foundation) [http://www.eff.org/cases/sony-bmg-litigation-info SonyBMG settled] the case providing a range of remedies and compensation to purchasers of CDs with the XCP technology or the MediaMax technology. SonyBMG ultimately stopped putting any DRM on its CDs sold in the United States. Sony may continue to market the cd discs containing the virus in foreign markets.Hold down the shift key when you insert a CD disc into the drive. This will prevent autorun from executing the rootkit. But keep in mind you may still launch the rootkit by clicking the cd drive letter icon in windows explorer, or certain applications such as Windows Media Player may also launch the rootkit.Hold down the shift key when you insert a CD disc into the drive. This will prevent [[autorun]] from executing the rootkit. But keep in mind you may still launch the rootkit by clicking the cd drive letter icon in windows explorer, or certain applications such as Windows Media Player may also launch the rootkit.=== Sony DRM Rootkit Removal Patch ====== LavaSoft 3rd Party Tool ====== Manual Removal ===This is a very touchy process that is executed incorrectly your system could be rendered unbootable. This process is not guaranteed by any means, and due to variants and reports of opportunistic virii, even if executed correctly, something could go wrong. Just be advised before you begin, and make sure you have completed a comprehensive system backup.[http://www.dslreports.com/forum/remark,14817570 Handyperson's guide to removal of SONY ROOTKIT] best illustrates the manual removal process. Credit goes to Kevin McAleavey who posted this guide on an Internet forum. It is imported here for permanency retention and edited for compression and simplicity. * Must be done from the administrator - Full Control account* Open an MS-DOS prompt and navigate to the path c:\windows\system32\$sys$filesystem* Delete the ARIES.SYS file in the $sys$filesystem directory and reboot the system* Open REGEDT32 (not regedit) and right click on the HKEY_LOCAL_MACHINE hive and select PERMISSIONS from the dropdown menu.* Click on "everyone" and make sure that FULL CONTROL is checked * Use FIND (Control-F) to locate anything that matches "$sys$":* First things you'll encounter are under the HKEY_LOCAL_MACHINE files, under the SOFTWARE key, delete them (see below)::* $sys$reference::* ECDDiskProducers::* SONYBMG* Then, as you continue to FIND more $sys$ items, BE CAREFUL! Some can be deleted, SOME HAVE TO BE EDITED!* In "WBEM\WDM" you'll spot some UUID's and there will be crater.sys. Any such references that DON'T have IMAPI are safe to just delete. This will be the first one you encounter after the above. DELETE. Same for the one in WBEM\WDM\DREDGE ... DELETE!* The next stop will be under various "ControlSet00x" keys. You'll stop at the "CoDeviceInstallers" ... for each "$sys$caj.dll" you encounter. Usually it is the first UUID entry and the last. Look for the $sys$caj.dll entry and remove ONLY that particular value for a UUID where it appears and do NOT delete anything else.* Next is the "Enum" area - IDE or SCSI depending on what you have. Look for an entry on the right side that says "LowerFilters" ... but don't delete anything. Double-click on the "LowerFilters" name. That will bring up an EDIT screen. In the EDIT screen, what you need to do is move the cursor up where it says "$sys$crater" and CAREFULLY remove it, and pull any lines below it up. NORMALLY the line below will be IMAPI.SYS but could be something else, and more following. The OBJECTIVE is to remove the $sys$crater ONLY and then pull the line below it up to where the crater.sys WAS. Objective is to leave everything ELSE intact and JUST lose $sys$crater!:* Should you encounter a "LowerFilters" that *ONLY* contains "$sys$crater," then you can DELETE it, but usually the "LowerFilters" has another item. Make certain that the top item isn't blank!* Now search to "UpperFilters" and remove "$sys$cor." If "$sys$cor is the ONLY entry, then you can delete that item. If there is anything ELSE in there, then you must edit OUT the "$sys$cor" as was done with "$sys$crater." Each system is different and thus the uncertainty here. You ONLY want to get rid of "$sys$crater" and "$sys$cor". :* Be careful not to remove anything else or you will lose access to your CDROM drive(s).::* $sys$cor will show up in other places, under the name "ActiveChannel." You can DELETE that whole value too. ::* ANY place where only $sys$cor or $sys$crater shows up as a value can be DELETED as LONG AS there are no other "dependencies" listed. ::* If there are other items, you MUST edit OUT the $sys$whatever and LEAVE THE OTHERS INTACT by removing the entire line which contains either $sys$crater or $sys$cor ...* Search to the "ROOT" entries! You'll see the following KEYS which need to be deleted::* LEGACY_$SYS$ARIES:* LEGACY_$SYS$DRMSERVER:* LEGACY_$SYS$LIM:* LEGACY_$SYS$OCT::* Just delete the entire KEYS themselves, so the above are GONE.* search to the "SERVICES" entries! You'll see the following keys next::* $sys$aries:* $sys$cor:* $sys$crater:* $sys$DRMServer::* Just delete the entire KEYS themselves, so the above are GONE.* That completes the "CurrentControlSet" ... expect to go through a repeat of the above for EACH user's individual "ControlSet" until you've done them all. How many depends on how many "users" on the machine.* click on the HKEY_LOCAL_MACHINE hive and select PERMISSIONS from the dropdown menu and remove the checkbox for "everybody" that granted "everyone" "FULL CONTROL."* reboot the system* When the system comes back up, GO to that $sys$filesystem folder and delete the remainder - you'll now have permissions to do so. And finally, wipe THESE files from your SYSTEM32 folder::* $SYS$CAJ.DLL:* $SYS$UPGTOOL.EXEIt is a lot of work and a bit risky to your system, but you have completed the removal process.== References and Resources ==* A blog article [http://blogs.technet.com/b/markrussinovich/archive/2005/11/06/sony-s-rootkit-first-4-internet-responds.aspx Sony’s Rootkit: First 4 Internet Responds] explains how poorly written the Aries.sys api interceptor is and why the presence of the Sony DRM Rootkit not only makes your Windows system less stable, it prevents you from isolating and indemnifying problems with your system that could otherwise be easily addressed as they arise.* A [http://www.electrohack.com/index.php?s=sony+rootkit&submit=Search handful of articles on the Expressive Opposition blog] details the story behind the Sony DRM Rootkit and how people responsed. Sony faced legal action by consumer groups and was forced to issue a recall on DRM embedded music discs.* Wikipedia refers to the issue as the [http://en.wikipedia.org/wiki/Sony_BMG_CD_copy_protection_scandal Sony BMG CD copy protection scandal] and has some background information on the story.== Related ==* [[Autorun|Autoplay, Autorun, and Auto-insert notification]]* [[Turn off Autoplay With Group Policy Editor]]* [[Sandisk U3 Flash Drive Virus]]* [[Sony DRM Rootkit]]For Linux Users:* [[How_Do_I:_A_Linux_Q%26A#.5BDISABLE_ANNOYING_KDE_Autorun_WHEN_CDROM_IS_IN_DRIVE_WHEN_KDE_STARTS.5D|KDE Autorun]]Key Words: spyware , malware , trojan , crash , aries.sys , XCP technology