http://vil.nai.com/vil/content/v_136855.htmMcAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See
http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See
http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.
Distribution
To prevent illegal copying of music, some recent Sony music CDs contain Digital Rights Management (DRM) software from the company First4Internet. This software gets installed with a music player provided on the CDs. In order to hide the installation of this additional software, it drops a program ("XCP") that hides any file or process that starts with string “$sys$”. The behavior of XCP was observed on October 21, 2005 with the Van Zant CD.
More information of how to remove XCP is available at Sony website and
http://updates.xcp-aurora.com/With the latest DATs, McAfee detects, removes, and prevents reinstallation of XCP. Please note that removal will not impair the copyright protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP (
http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html ). System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself.
Characteristics
A SonyBMG music CD is inserted in the CD player of a computer system running Microsoft Windows. If the CD has the DRM software, the following EULA is presented:
Some excerpts of EULA are shown below.
* "As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the SOFTWARE) onto YOUR COMPUTER .The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise."
* install one (1) copy of SOFTWARE onto the hard drive of YOUR COMPUTER , solely in machine-executable form;
* install one (1) copy of any APPROVED MEDIA PLAYER(S) contained on this CD onto the hard drive of YOUR COMPUTER, solely in machine-executable form
* use the SOFTWARE and any APPROVED MEDIA PLAYER(S) contained on this CD to access the DIGITAL CONTENT on YOUR COMPUTER or on an APPROVED PORTABLE DEVICE”
Installation
*
The autorun feature of the CD starts a process called “go.exe” which is an enhanced installer by F4I. It installs the file $sys$DRMServer.exe, which is the main component for installing the XCP service.
*
$sys$DRMServer.exe creates a service named "$sys$aries" using file aries.sys located in the hidden folder %sysdir%\$sys$filesystem.The display name given to this service is “Network Control Manager Service”.
*
Creates HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
$sys$aries
* XCP hides processes, files and directories whenever the name starts with string “$sys$”. It also hides some specific registry keys that point to the path of these binaries.
* Any random file created with a name that begins with “$sys$” will automatically get hidden.
* This is a security risk as some virus scanners will not be able to detect or delete any malicious programs that take advantage of this cloaking.
NOTE: Heuristic detection was added to the 4612 DATs for files likely to be attempting to exploit the security hole created by XCP.Files matching this signature may be detected as New Malware.j
Manual Removal Instructions:
*
Run “net stop $sys$aries”
*
Delete %sysdir%\$sys$filesystem\aries.sys
Top of Page
Symptoms
* Any file of folder with the name starting from $sys$ will get hidden.
* Presence of file aries.sys in %sysdir%\$sys$filesystem folder.
Top of Page
Method Of Infection
Currently this security risk is being distributed via Sony BMG music CDs that has content protection purchased from F4I.
Top of Page
Removal Instructions
AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
SecurityRisk.First4DRM (Symantec)
XCP.Sony.Rootkit (CA)