Sony rootkit signatures now available

  • Thread starter Thread starter Randy Knobloch
  • Start date Start date
Randy Knobloch said:
http://blogs.technet.com/antimalware/archive/2005/11/17/414741.aspx

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.
Click to expand...

Why is Windows Antispyware Beta not removing Sony's XCP software in its
entirety? From my understanding this software still reports information to
Sony's servers each time a Sony audio CD is played. Surely that has to be
classed as spyware, after all it is spying on us.

In my opinion a clear message needs to be sent to Sony that this type of
software will not be tolerated in any form what so ever.
 
Hi Breezy

Nearly all commerial apps "calling Mum"...........!

Control it with a real firewall with both inbound
and outbound control. (not SP2 firewall)
 
Is the Sony Player software listed in add or remove programs?

This is a detail I haven't been able to get straight yet--but if it
is--that'd be the best route to remove it. It also may be one reason that
it is not removed by Microsoft Antispyware.

--
 
Hi

From MS engineers:

"We also wanted to take a moment to confirm that we are not removing or
disabling Sony’s XCP software. We are only removing the rootkit
component published by First 4 Internet which is included as part of
Sony’s XCP software."

"Only removing the rootkit".

http://blogs.technet.com/antimalware/archive/2005/11/17/414741.aspx

But as reported in other message it seems that MSAS "as usual" only
detects new threat but not removing them..........

--
plun




Bill Sanderson presented the following explanation :
 
I don't know what the real story is here. One report suggests that
Microsoft is only "uncloaking": the code--i.e. removing just those pieces
that allow anything to be hidden from the OS. I would expect, though, that
once that was done, it would stop detecting--so it seems like something
isn't going right on that specific cleaning operation.

....I hate to go in and suggest cleaning in safe mode but.....

--
 
:
Thanks for posting that. This is the best write-up of safe and effective
procedures to remove everything that I know of.
Click to expand...

Your welcome - Lawrence is an MVP, as you know.
Great bit of investigative work and end-tool procedure that works.
Not for the faint-hearted, though.

Silj

--
siljaline

MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address
is invalid that we may all benefit.
 
Bill Sanderson said:
Is the Sony Player software listed in add or remove programs?

This is a detail I haven't been able to get straight yet--but if it
is--that'd be the best route to remove it. It also may be one reason that
it is not removed by Microsoft Antispyware.
Click to expand...

That's the whole point. No Sony's XCP software is not listed in the
add/remove programs, it has no un-installer supplied with it and if you try
to remove it manually it will break your CD Rom drive.

Something that phones home, that is very difficult to remove and that can
break your machine is malware as far as I'm concerned and should be
completely removed by Windows Antispyware.

And in any case all the XCP disks are being recalled so you will not need
the Sony player to play the disks anyway. So the software is redundant. Get
rid of it Microsoft, it serves no purpose and can break our OS.
 
Use the Bleeping Computer write up to get rid of it all.

Maybe they are leaving it out there in order to hold Sony's feet a little
closer to the fire?

--
 
Bill Sanderson said:
Use the Bleeping Computer write up to get rid of it all.
Click to expand...


Well I'm not infected, I'm thinking of the 500,000 or so computers that they
estimate are infected with this malware.
Maybe they are leaving it out there in order to hold Sony's feet a little
closer to the fire?
Click to expand...

LOL Maybe so. All this isn't going to do the XBox 360 sales any harm. I'd
say we might see a few Playstation to Xbox converts in the next year or so.

Oh and the other thing I failed to mention in my previous post was that this
software is constantly using resources, isn't it. It simply has to be
classed as spyware malware or whatever and should be removed.
 
So much for that bad idea!
-----------
DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.
USAGE:
sc <server> [command] [service name] <option1> <option2>...
------------

Follows a lengthy description of the parameters.

This is a command-line interface to control services--the critters one would
normally get to via Services.MSC.

Could be quite useful in terms of changing how services are set to startup
as the system shuts down or starts--you should be able to do all the stuff
possible with services.msc, and perhaps more--and do it via batch processes.

--
 
Bill Sanderson said:
...I hate to go in and suggest cleaning in safe mode but.....
Click to expand...

The aries driver is still loaded and active in safe mode, as Mark
Russinovich discovered.
:-)

BTW, just for curiosity, what's the SC.EXE utility in WinXP and beyond?

C.
 
Back
Top