How To Remove The Sony Drm Rootkit

How to remove the Sony - XCP DRM Rootkit
Table of Contents

1. How this rootkit affects your computer
2. CDs that contain this rootkit
3. How to tell if your CD has the Sony - XPC DRM Rootkit
4. How to tell if your computer is infected with the Sony / XPC DRM Rootkit
5. Rootkit removal and detection
6. Technical Details

How this rootkit affects your computer Sony has been using XCP - Aurora as their Digital Rights Management (DRM) security system on some of their cds. A component of this DRM software is a rootkit which will hide files, registry keys, and processes that are named in a particular way. This rootkit was discovered by Mark Russinovish of Sysinternals. CDs that contain this rootkit Sony has not released an official list of CDs that utilize this rootkit. Independent lists, though, have been made that list the CDs that contain this technology: http://sunbeltblog.blogspot.com/2005/11/list-of-cds-that-have-drm_09.html
http://ukcdr.org/issues/cd/bad/
http://www.fatchuck.com/z3.html

How to tell if your CD has the Sony - XPC DRM Rootkit CDs that contain this rootkit will usually state that it is content protected on the front of the CD in the Hinge area. You will see text that states Content Protected - See Reverse For Features as shown in the image below.

Front of a CD On the back of a cd you would see a box that gives Compatible With specifications and a warning stating that Certain computers may not be able to access the digital file portion of this disc. An image showing this is below.
Back cover system requirements and warning.
How to tell if your computer is infected with the Sony / XPC Rootkit If your computer is infected with the Sony / XPC Rootkit there will be a visible service installed on your computer called XCP CD Proxy. This service is not the rootkit and should be left alone, but rather an indication that the rootkit is installed on your computer. The following steps will allow you to check whether or not this service is installed:

1. Click on the Start button.
   
   
2. Click on the Run option.
   
   
3. In the Open: field type services.msc and press the OK button.
   
   
4. The services control panel window will open. You will see a list of services installed on your computer. Scroll down and look for a service called XCP CD Proxy. If you have this service, then you most likely have the rootkit installed as well.
   
   
5. Close the control panel window.

Rootkit removal and detection Sony as well as antivirus vendors have released a patch or utilities to disable this rootkit. Both the Sony patch and the antivirus vendor utilities delete the rootkit service ($sys$aries), but the Sony patch leaves the aries.sys file behind while the other utilities will delete this file. Unfortunately, according to Mark Russinovish of Sysinternals, the way the patch and utilities are removing the rootkit has a small chance of crashing your computer. With that in mind, there is manual method that is safer to use given below. With any of the provided methods, though, the rootkit will be removed and you will still be able to use the CD on your computer. Manual deletion instructions of the DRM rootkit service (Windows XP/2003):

1. Click on the Start button.
   
   
2. Click on the Run option.
   
   
3. In the Open: field type cmd /k sc delete $sys$aries and press the OK button.
   
   
4. Reboot your computer
   
   
5. Delete C:\%WinDir%\system32\$sys$filesystem\aries.sys (Replace %WinDir% with the directory that Windows is installed on your computer)

Manual deletion instructions of the DRM rootkit service (Windows NT/2000):

1. Because Windows NT or 2000 does not include the SC.exe program, we will need to download a freeware alternative. Download SWSC and save it in your Windows folder.
2. Click on the Start button.
   
   
3. Click on the Run option.
   
   
4. In the Open: field type cmd /k swsc delete $sys$aries and press the OK button.
   
   
5. Reboot your computer
   
   
6. Delete C:\%WinDir%\system32\$sys$filesystem\aries.sys (Replace %WinDir% with the directory that Windows is installed on your computer)

If you would still prefer to use an automated tool, then you can choose one that is listed below: List of Antivirus Detection/Removal Tools Symantec's Tool
Sophos Tool

Official Patch: Sony XPC-Aurora Rootkit Removal Patch
Technical Details The DRM rootkit used by Sony was created by XCP. This rootkit will hide any filename, process, or registry key that starts with the following characters $sys$ . What this means is that if you have this rootkit installed on your computer, and create a file called $sys$test.txt, that file will no longer be visible by you as the rootkit will be hiding it. The rootkit files themselves are found in the directory \Windows\System32\$sys$filesystem and are started as services from your registry. The registry entries, filenames, and directories will be hidden, though, while the rootkit is active as they all start with the $sys$ characters. The XPC DRM/Rootkit is installed by the autorun.exe file located in the root of the cd. This program will automatically run when you insert the cd. It will then call the program Content\GO.exe which is the actual XPC installer. Included in the root level of the CD is also a version.dat file that will contain the current version of the XPC Installer. The version.dat file on the CD I tested with was for version 1.9.
It is important to note that Go.exe does not only install a rootkit, but does also install a media player and the DRM software used to protect the songs on the CD.
During the installation it will install the following two services: HKLM\SYSTEM\CurrentControlSet\Services\CD_Proxy
HKLM\SYSTEM\CurrentControlSet\Services\$sys$DRMServer It also installs the following system drivers: HKLM\SYSTEM\CurrentControlSet\Services\$sys$aries
HKLM\SYSTEM\CurrentControlSet\Services\$sys$cor
HKLM\SYSTEM\CurrentControlSet\Services\$sys$crater
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$OCT
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_$SYS$LIM The service $sys$aries is the actual rootkit service. The rest of the services are for the DRM and related software. It will install the following files: C:\Windows\System32\$sys$filesystem\$sys$DRMServer.exe
C:\Windows\System32\$sys$filesystem\$sys$parking
C:\Windows\System32\$sys$filesystem\aries.sys
C:\Windows\System32\$sys$filesystem\crater.sys
C:\Windows\System32\$sys$filesystem\DbgHelp.dll
C:\Windows\System32\$sys$filesystem\lim.sys
C:\Windows\System32\$sys$filesystem\oct.sys
C:\Windows\System32\$sys$filesystem\Unicows.dll
C:\windows\CDProxyServ.exe
C:\windows\DbgHelp.dll
C:\windows\system32\$sys$caj.dll
C:\windows\system32\$sys$upgtool.exe
C:\windows\system32\AXPSupport.dll
C:\windows\system32\ECDPlayerControl.ocx
C:\windows\system32\InstallContinue.exe
C:\windows\system32\driver\$sys$cor.sys
C:\windows\system32\TMPX\APIX.vxd
C:\windows\system32\TMPX\ASPIENUM.vxd
C:\windows\system32\TMPX\WNASPI.dll
C:\windows\system32\TMPX\WNASPI32.dll
C:\windows\system32\Unicows.dll The aries.sys file is the actual rootkit file. While sony has the right to protect their products, technology like this can be easily exploited by malware writers. If a malware writer prepends their filenames and registry keys with $sys$, and a user has this rootkit installed, then this malware will be hidden from you, antivirus, and antispyware software. As of this writing, there are already two Trojans that have utilized this rootkit technology to hide themselves from the user. These trojans are: Backdoor.Ryknos
Troj/Stinx-F Credits: Mark Russinovish of Sysinternals

---

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

Edited by Grinler, 10 July 2006 - 08:59 PM.