1. Computing & Technology
About.com
Antivirus Software

Sony Stinx Trojan

From , former About.com Guide

See More About:

Name:

Stinx

Also known as:

Troj/Stinx-E (Sophos), Trojan.Downloader.Small-882 (ClamAV), Backdoor.Ryknos (Symantec), Backdoor.IRC.Snyd.A (BitDefender), Backdoor.Win32.Breplibot.b (Kaspersky), W32/Brepibot (McAfee)

Type:

IRC backdoor and downloader Trojan

Discovered:

November 10, 2005

Email Characteristics:

Seeded in an email carrying a 10240 byte attachment named 'Article+Photos.exe'

System Impact::

The Sony Stinx Trojan exploits the Sony DRM cloaking technology (aka rootkit) installed by music CDs published by Sony after March 2005. This allows the malware to be hidden from view - effectively masking its presence even from most antivirus scanners. The Sony Stinx Trojan installs an IRC Backdoor Trojan that allows remote access to compromised PCs, downloads other malware, and disables the Windows XP firewall.

Technical Description:

Norman Sandbox reports the following actions are taken by the attachment when opened.

Changes to filesystem
* Creates file C:\WINDOWS\SYSTEM32\$sys$drv.exe.
* Creates file C:\WINDOWS\TEMP\130.bat.
* Creates file C:\WINDOWS\TEMP\181.bat.

Changes to registry
* Creates key "HKCU\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".
* Sets value "$sys$drv"="$sys$drv.exe" in key "HKCU\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".
* Creates key "HKLM\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".
* Sets value "$sys$drv"="$sys$drv.exe" in key "HKLM\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".

Note: These are invalid registry keys, resulting from a bug in the Trojan's decryption routine. As a result, the Trojan will not reload when Windows is restarted.

Network services
* Connects to "152.7.24.186" on port 8080 (TCP).
* Connects to IRC Server.
* Connects to "24.210.44.45" on port 8080 (TCP).

Process/window information
* Attemps to open C:\WINDOWS\TEMP\\130.bat NULL.
* Attemps to open C:\WINDOWS\SYSTEM32\$sys$drv.exe NULL.
* Attemps to open C:\WINDOWS\TEMP\\181.bat NULL.
* Creates a mutex $sys$drv.exe.

These modifications will not be visible to anyone impacted by the Sony Rootkit and may likely not be detected by antivirus scanners. Fortunately, those who have not played a Sony BMG music CD on their PC will be able to manually examine their system for the aforementioned changes and/or use up-to-date antivirus to detect them.

Those who suspect they may have the Sony DRM cloaking technology installed should consult the article Rootkits Revealed for tips on ferreting out rootkitted malware.

Also see:

©2012 About.com. All rights reserved.

A part of The New York Times Company.