Hi, we are Eric Allred and Ziv Mador, response coordinators for the anti-malware technology team.
We have analyzed several versions of the rootkit that have been shipped as part of Sony’s XCP software. We are calling the family WinNT/F4IRootkit. We chose the name based on the company that authored this component. We have added detection and removal for those versions via the online scanner at the Windows Live Safety Center. To quickly scan and remove those versions of the rootkit from your computer, you can select the "Full Service Scan" followed by the "Quick scan" option.
The Windows AntiSpyware Beta will be able to detect and remove this as well with the 11/17/05 signature release. Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December.
We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change.
There has also been quite a bit of discussion on the web around the ActiveX control that was later released by First 4 Internet and Sony to neutralize the rootkit. The ActiveX control has been cited with a variety of issues / vulnerabilities and it was quickly pulled off of the Sony site. If you have concerns with this ActiveX control it can be blocked by following the directions at the MSRC blog.
Eric and Ziv
Well done - keep it up!
Re "Hidden" software and Windows Live Safety Center
I tried the Live Safety Center "Full Service" scan last night.
I stopped it when it said '1 Virus Found' to see what it had found.
All it reported was "1 Virus Deleted"
What was Deleted? no idea.
In a nutshell given the furore over Sony's 'hidden' rootkit the lack of transparency by the product is 'NOT Acceptable'
If I may point out it is 'my' computer and it is my decision what does and does not get deleted from it. Sure I will take open, honest credible advice but at the end of the day is my choice.
After all how do I know you are not declaring compeditors products 'a virus' ?
This team rocks, good work!
Looks like Microsoft is just as spineless as every other anti virus/spyware company.
Why would Microsoft not remove the whole rouge application? Is it stated anywhere in the EULA that Sony will install DRM software on your computer? No it’s not!! Therefore it should be removed. Microsoft is a monster of a company with enough resources to fend off any legal assault by Sony. I can only assume that M$ will not remove the DRM because they want to cuddle up to Sony so they can push their audio/video compression and DRM software.
I still am amazed at the ignorance M$ exhibits. Do they not realize that people ‘DON’T’ trust them? The only reason we need anti virus/spyware or firewall protection is because Windows was is so poorly coded. Now they want to have their cake and eat it too. If M$ want people to start trusting them they would do two things:
1. Give their anti virus/spyware apps away for free. No charging for definition updates.
2. Don’t play the political game. If an app is installed without the users consent it is a rouge application and should be removed.
Looks like M$ doesn’t want to step on the other anti virus/spyware companies toes by making a product that is on par with their offerings. Thanks Microsoft for making it clear that you still cannot be trusted!!
PingBack from http://www.reelsmart.com/2005/12/02/sony-lots-of-baloney/