Dan, I have a few questions re your post below. 1) You said not to put a cd in the cd drive of a Windows machine. Does that mean not even to play it? 2) I searched for any files w/ $sys$ in the name and did not find any. I also did the test, creating a $sys$.txt file. It did not disappear when I hit refresh. Are the $sys$ files installed by Sony's rootkit? 3) You said if you do find a $sys$ file and remove it, it disallows access to the cd drive. Why remove it, then? Does the $sys$ file prevent you from ripping songs? 4) Would an ordinary disc copy (not rip) be affected by the rootkit? 5) Other than saying, don't put any Sony discs from up to 3 months old in your computer, is there any way to detect the presence of rootkit software? 6) Do you recommend downloading the software from Sophos on the link your provided below? The site said "This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam)." I haven't bought anything from Sony recently, and I passed the test, so what would be the effect of running the tool on an uninfected machine? Would it provide protection for the future in case I run into the Sony rootkit?
I buy cds all the time, and I usually rip them to mp3. I really appreciate your heads-up. I definitely don't have time to rebuild my operating system on a consistent basis. I'm thinking about just getting a ripper computer. Thanks. PM Lyman ----- Original Message ----- From: Dan Fuller To: budheads ; [EMAIL PROTECTED] ; The Onion ; radiohum ; sat_dx ; satellitetv ; sftvnews ; sftvtalk ; Tom & Darryl ; TVRO Sent: Thursday, November 10, 2005 5:04 PM Subject: [TVRO] [Whitmores_Announcements] BMG (Sony) RootKit on some audio CDs From another list: This is OT for some of the lists but very important to pass along. [Whitmores_Announcements] BMG (Sony) RootKit on some audio CDs Greetings: I have been watching and reading about this for several days, and feel it's time to spread the news. There is good news and bad news. The good news is I believe it affects only Windows machines. The bad news is all you have to do is play one of these audio CDs to infect your machine. Sony/BMG music has put some software on some twenty of their new music CDs, intended to prevent casual copying. In itself, that is not such a bad thing. The problem is twofold: 1) The software, knows as a rootkit, hides itself, and any file with $sys$ as the first part of its name, so users cannot find it using any standard means, such as Windows Explorer or virus/spyware scanners. There are rootkit revealers that will find it. 2) If you do find it, and successfully remove it, it almost always breaks access to the system's CDROM drive(s), and no one has found a fix, short of rebuilding the Windows operating system. The real bad news is that as expected, virus writers didn't waste any time developing Trojan horse programs that exploit this vulnerability/feature. See: http://www.sophos.com/pressoffice/news/articles/2005/11/stinxe.html Wherein find: <snip> Trojan horse exploits Sony DRM copy protection vulnerability Sophos issues tool to detect and disable "cloaking" flaw exploited by Trojans Music CD The Trojan horse exploits a vulnerability introduced by Sony's CD copy protection software. Experts at SophosLabsT, Sophos's global network of virus and spam analysis centres, have detected a new Trojan horse that exploits the controversial Sony DRM (Digital Rights Management) copy protection included on some of the music giant's CDs. The Troj/Stinx-E Trojan horse appears to have been deliberately spammed out to email addresses, posing as a message from a British business magazine. Typical emails look as follows: Subject: Photo Approval Deadline Message body: Hello, Your photograph was forwarded to us as part of an article [truncated] </snip> There's lots more reading at: http://www.theregister.co.uk/2005/11/10/sony_sued_for_rootkit/ I do not yet have a list of titles with the software on them, but the new Van Zant album is one mentioned. Bottom line: If you have any relatively new audio CDs made by Sony/BMG (Say, less than three months old) DO NOT put them into any Windows based PC. If you already have, don't panic. The known effects are to break the system's ability to copy CDs, and the potential for getting a Trojan on your machine. Remember that removing the rootkit will almost certainly break your ability to use the CDROM drive(s). Let me know if you have a machine that may be infected. One quick test that may work, is to make a text file, and name it $sys$.txt See if it disappears as soon as refresh the folder. I tried this on my machine, and the file remained visible. Let me know if you have a machine that fails this test. Paul Community email addresses: Post message: mailto:[email protected] Subscribe: mailto: [EMAIL PROTECTED] Unsubscribe: mailto:[EMAIL PROTECTED] List owner: mailto:[EMAIL PROTECTED] Shortcut URL to this page: http://www.groups.yahoo.com/group/TVRO ------------------------------------------------------------------------------ YAHOO! GROUPS LINKS a.. Visit your group "TVRO" on the web. b.. To unsubscribe from this group, send an email to: [EMAIL PROTECTED] c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service. ------------------------------------------------------------------------------ [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor --------------------~--> Get fast access to your favorite Yahoo! Groups. Make Yahoo! your home page http://us.click.yahoo.com/dpRU5A/wUILAA/yQLSAA/EyMolB/TM --------------------------------------------------------------------~-> Community email addresses: Post message: mailto:[email protected] Subscribe: mailto: [EMAIL PROTECTED] Unsubscribe: mailto:[EMAIL PROTECTED] List owner: mailto:[EMAIL PROTECTED] Shortcut URL to this page: http://www.groups.yahoo.com/group/TVRO Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/TVRO/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
