Skip to navigation
Latest News

Virus targets SonyBMG rootkit DRM

By Matt Whipp

Posted on 10 Nov 2005 at 14:01

Security researchers' worst fears have been realised as the first instance of a virus taking advantage of the rootkit DRM technology in some SonyBMG copy-protected CDs has been discovered.

Sophos says that the Trojan known as Stinx-E uses the Sony DRM rootkit to make itself invisible through the file $sys$drv.exe. However, this does not mean that in not having the Sony DRM installed you are immune to infection.

The rootkit makes all files beginning with '$sys$' invisible, and Sophos' senior antivirus consultant Graham Cluley described it as 'particularly troublesome'. He told us that antivirus software will detect the file when it is first run if it has already been updated to look out for it. But out of date antivirus software won't detect the virus at that point, and once the virus is installed, won't be able to see it at all.

Despite the fact that the Sony DRM in question is available on US CDs, it is possible to get them in the UK from the likes of Amazon. Curiously, the Trojan appears to be targetting the UK specifically. Cluley said that Sophos' research centres across the globe were aware of the new Trojan but had yet to encounter it.

'There's a peculiarly British angle to this one in that it pretends to come from an organisation called Total Business Monthly and refers to the website,' he said.

He said that while the Trojan appears to be out there in numbers, Sophos has yet to receive any reports of infection. 'We've had reports from a few large companies that have received the virus, but fortunately it seems they had the good sense to quarantine it.'

The Trojan arrives in an email with attached files with names such as Article+Photos.exe, subjects such as 'Photo Approval Required' and the following message:

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
Kind regards,
Jamie Andrews
The Professional Development Institute

If the recipient opens the attachment, the Trojan will attempt to copy the file $sys$drv.exe onto the hard drive where the Sony rootkit, if present, will render it invisible. The Trojan opens a backdoor onto the computer allowing remote control over the machine through IRC channels. The backdoor allows an attacker to delete, execute, and download files on the target machine. It also attempts to bypass the Windows Firewall.

The DRM technology the Trojan takes advantage of is included in a number of SonyBMG CDs and was first discovered by IT researchers when it turned up on a computer that was scanned for rootkits - a form of malware that talks directly to operating systems at a low-level and is invisible through Windows, and thus to other programs.

Further research showed that any file beginning with '$sys$' would also be cloaked by the Sony rootkit used to hide its DRM technology.

The company that developed the technology for Sony has since updated its software and removed the rootkit element, but that update may take sometime to make it to CDs on sale. It has also released patches to antivirus companies, but again this depends on end users updating their software.

1 2
Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
Be the first to comment this article

You need to Login or Register to comment.



Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing


Sponsored Links

Your email:

Your password:

remember me


Hitwise Top 10 Website 2010

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.