Hi, we are Eric Allred and Ziv Mador, response coordinators for the anti-malware technology team.
We have analyzed several versions of the rootkit that have been shipped as part of Sony’s XCP software. We are calling the family WinNT/F4IRootkit. We chose the name based on the company that authored this component. We have added detection and removal for those versions via the online scanner at the Windows Live Safety Center. To quickly scan and remove those versions of the rootkit from your computer, you can select the "Full Service Scan" followed by the "Quick scan" option.
The Windows AntiSpyware Beta will be able to detect and remove this as well with the 11/17/05 signature release. Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December.
We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change.
There has also been quite a bit of discussion on the web around the ActiveX control that was later released by First 4 Internet and Sony to neutralize the rootkit. The ActiveX control has been cited with a variety of issues / vulnerabilities and it was quickly pulled off of the Sony site. If you have concerns with this ActiveX control it can be blocked by following the directions at the MSRC blog.
Eric and Ziv