Welcome to GuruNews
Brought to you each week by the PC Gurus, a loose collection of volunteers from around the Kentuckiana region.
You can
interact with the PC Guru team via our Web site, located at http://www.thepcgurus.com. On our
site you can post your computer questions, comments and rants on the forums,
e-mail the PC Guru
team members and chat one on one in our nightly IRC chat
beginning around 8:00 PM EST. You can also subscribe to our RSS feeds so
you can get the latest news and forum updates from the PC Guru Web site directly
on your computer.
If you’re new to the Newsletter you can read back issues at Team member JP Durbin’s website at http://www.jpdurbin.net. There are links to all the old 84 Online issues as well as the new GuruNews missives.
The WHAS Crusade for Children provides year round support for needy children throughout the Kentuckiana region. Visit http://www.whascrusade.org to make donations online.
To subscribe to this newsletter just drop by www.thepcgurus.com and sign up!
Vol. 5, No.45
11-11-05
1 Latest “virus” vector is Sony BMG (Part 2)
2 Panic
3 More Sony woes, AMD sales, Firefox anniversary, Granny the blogger
4 Newsletter news
5 Startup error
You’ll recall from last week that we left you with Mark Russinovich tying the rootkit he discovered on his computer (http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html) to Sony BMG. Recalling that he had recently purchased a copy of “Get Right with the Man” by the Van Zant brothers published by Sony.
Playing the CD indicated that the previously cloaked file, named %sys%drmserver, was pulling an increased amount of CPU resources while disguising itself as a Plug and Play Device Manager service (double cloaking?). Even after closing the CD player the service continued to consume between 1-2% of CPU resources.
Earlier Mark had made a copy of notepad.exe and renamed it to %sys%notepad.exe, then verified that the file as well as the service when started were cloaked by this same system, meaning virtually anything could hide and eat up resources while remaining totally hidden, including viruses or spyware. A scary thought indeed.
Finding no mention of the program in Add/Remove Software from Control Panel Mark checked the EULA (http://www.sysinternals.com/blog/sony-eula.htm) and discovered that no mention was made of stealth software. The only indication of an installation was for a program to protect the audio files and “facilitate your use of the DIGITAL CONTENT” (yeah, right). You were also notified that the program would reside on your system until “removed or deleted”. Of course the fact the files were impossible to find for 95% of users also meant they were impossible to remove or delete so this passage is 100% misleading.
Mark stopped all of the once cloaked processes and began deleting the files and registry entries, discovering to his surprise that the rootkit was programmed to start even in Safe Mode but the biggest shock came when he rebooted the PC. His CD/DVD drives no longer worked! They didn’t even show up as drive letters!
Now if you happen to own a Sony CD of recent vintage and are afraid you may be infested with this malware, don’t despair. An anonymous poster gave detailed instructions over at http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html to remove the software and fix the CD/DVD issue. He or she did this in XP Pro but it should also work in XP Home. It’s a bit technical but not too bad. Keep in mind I haven’t bought a music CD in years so I’m not blessed with the garbage they put out (both the music and the malware). That being said obviously means I haven’t actually tried this fix.
If you see the two services listed in step one and the removal sounds too complicated get some help from a tech savvy friend or the neighborhood geek. If you don’t see the services then you probably aren’t infested.
“The following is how you kill this hidden
install. I did this in Windows XP Pro, so attempt on another OS at your
discretion. This will require Administrator rights. Please read through the
entire instruction set, and if you don't feel comfortable attempting this, then
don't. The rest of you, follow me ;)
1. hit windowsKey+R to open the RUN
command. Type services.msc to run the services dialog. Find 'Plug and Play
Device Manager' in the list, right click and choose Properties. Under the
General tab of the box that comes up, in the middle there should be the "startup
type" of the service. Set this value to "disabled" and click OK. Next find the
service named 'XCP CD Proxy' and set its startup type to disabled as well. You
won't be able to stop these services, only disable them from starting next time
Windows starts.
2. Download and run the latest Blacklight beta from http://www.f-secure.com/blacklight/
This program will find the 'super hidden' CD proxy files we're trying to get rid
of. When it finishes searching click next until you reach the screen that shows
you all the hidden files it found. Select all these files and click the "rename"
button to the right. Windows will restart once you click OK, and the files will
be renamed.
3. Once Windows restarts you will have lost any and all CD/DVD
drives. DON'T PANIC! Hit windowsKey+Pause/Break to open up your System dialog.
Click on the Hardware tab, then on the "Device Manager" button. Your system will
not list any CD/DVD drives, but you should see IDE slot(s) that have little
yellow circles with exclamation points over them indicating a device with a
problem. In order to restore the drivers to their un-sony-altered state you must
right click on the affected device and choose "uninstall driver". Do this for
each device with a problem.
4. Now that you have uninstalled the affected
drivers, simply navigate to your Control Panel via the Start Menu and choose
"Add Hardware". The add hardware wizard will run and find your previously
disabled devices. Your drives are now restored and functional, and this
potentially dangerous menace vanquished.
5. Advanced users may now go and
clean up the mess, but this step is not necessary. Delete renamed files, and
dare I say it, registry keys that pertain to Sony's program. Use this list for
reference: http://www.europe.f-secure.com/v-descs/xcp_drm.shtml
but nothing really beats searching.”
Lastly, Mark’s concern that the DRM rootkit could be used for even more nefarious activities was proven a scant four days after his announcement of Sony’s misdeeds.
Hackers playing the online “World of Warcraft” game started adding %sys% at the beginning of the names of cheat programs, thus hiding them from the gaming server’s “Warden” software that scans active services before allowing players to log in to prevent cheating (http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/). Look for this nifty feature in a virus or spyware app in the near future, coming to a PC near you.
Thanks for being a responsible corporate citizen there, Sony!
Kevin Mefford, Editor
Terry Wise
Tech News of the Week
The
Sony/Spyware drama goes on; now, the record giant is being sued:
http://www.techtree.com/techtree/jsp/article.jsp?article_id=69090&cat_id=582
AMD
has won a rare victory over Intel, outselling its much larger
rival in U.S.
stores last month. Ouch! :
http://www.theglobeandmail.com/servlet/ArticleNews/TPStory/LAC/20051110/REDGE10/TPBusiness/MoneyMarkets
Firefox
1.0 was released one year ago this week, and the world of
browsers has never
been the same:
http://www.informationweek.com/story/showArticle.jhtml?articleID=173601294
Is
Grandma a blogger? No? Think again:
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2005/11/09/financial/f215536S77.DTL
Copy
us on the good stuff ;-)
Matthew Dattilo
thepcgurus@gmail.com
www.mattdattilo.com
Newsletter News
This should be the last of the Friday newsletters. As you know, for the last several weeks our remailer system has balked at the Thursday issue and I’ve had to resend it on Friday. Kyle has been working to scrap the old system entirely and set up a whole new newsletter distribution server. Tonight is the first live test but Kyle has tested it extensively and tells me it’s a LOT faster than the old system, which usually took hours to get all of the emails sent. Thanks for the hard work Kyle!
Email Question of the Week
Q: Upon startup, the following message
appears: "Windows cannot find
C:\\Windows\\Nail.exe. Check your spelling and
try again". Clicking
the X closes the window and startup continues
uninterrupted. This
message began appearing after a virus/spybot scan where
several files
were deleted due to a virus/spyware (using Spybot & McAfee
Anti
Virus). Is this file necessary to successfully operate the computer?
I
have noticed that my computer is sluggish.
Thank you for your time
and help
A: The file is actually part of the
Aurora/Ceres/BetterInternet
spyware. You certainly don't need it.
If you can email me with the
version of Windows that you're using and I'll
help you get rid of the
error message.
As far as the PC being slow I
would also recommend getting
Ad-Aware from http://www.lavasoftusa.com/software/adaware/,
install,
update, scan and remove everything it finds. And we generally
don't
recommend McAfee products so you may also want to run an online
virus
scan from either http://housecall.trendmicro.com/
or
http://www.pandasoftware.com/products/ActiveScan.htm.
Hope
that helps and keep us posted...
Kevin Mefford
Contact info and legal
stuff
If you have tech support
questions or ideas and/or submissions for our newsletter please submit them by
visiting www.thepcgurus.com and click
on the “Email the Team” icon.
Copyright 2001-2005 The PC
Gurus, all rights reserved.
Publication, rebroadcast or storage is prohibited without prior consent,
however you may freely forward this publication to friends as long as A) it is
forwarded in its entirety and B) no fee is charged.
Information provided in this
publication is provided "as is" without warranty of any kind, either expressed
or implied. Although the
information provided is known to work on most systems, it may not work on ALL
systems. Make use of any
information supplied at your own risk.
The PC Gurus are a group of
volunteers who provide support for the PC, Mac and Linux users in the
Kentuckiana region.
To unsubscribe from this newsletter send an email to microdome@seidata.com with the words “unsubscribe newsletter” (without the quotes) at the top of the body of the message.