Share via


Sony rootkit signatures now available

Hi, we are Eric Allred and Ziv Mador, response coordinators for the anti-malware technology team.

We have analyzed several versions of the rootkit that have been shipped as part of Sony’s XCP software. We are calling the family WinNT/F4IRootkit. We chose the name based on the company that authored this component. We have added detection and removal for those versions via the online scanner at the Windows Live Safety Center. To quickly scan and remove those versions of the rootkit from your computer, you can select the "Full Service Scan" followed by the "Quick scan" option.

The Windows AntiSpyware Beta will be able to detect and remove this as well with the 11/17/05 signature release. Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December.

We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change.

There has also been quite a bit of discussion on the web around the ActiveX control that was later released by First 4 Internet and Sony to neutralize the rootkit. The ActiveX control has been cited with a variety of issues / vulnerabilities and it was quickly pulled off of the Sony site. If you have concerns with this ActiveX control it can be blocked by following the directions at the MSRC blog.

Take care,

Eric and Ziv

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://www.reelsmart.com/2005/12/02/sony-lots-of-baloney/
  • Anonymous
    November 18, 2005
    Well done - keep it up!

    Regards,
  • Anonymous
    November 18, 2005
    The comment has been removed
  • Anonymous
    November 20, 2005
    Well done~~~~~~~~~~
  • Anonymous
    November 21, 2005
    This team rocks, good work!
  • Anonymous
    November 22, 2005
    The comment has been removed