Changes to filesystem
* Creates file C:\WINDOWS\SYSTEM32\$sys$drv.exe.
* Creates file C:\WINDOWS\TEMP\130.bat.
* Creates file C:\WINDOWS\TEMP\181.bat.
Changes to registry
* Creates key "HKCU\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".
* Sets value "$sys$drv"="$sys$drv.exe" in key "HKCU\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".
* Creates key "HKLM\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".
* Sets value "$sys$drv"="$sys$drv.exe" in key "HKLM\Software\WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj".
Note: These are invalid registry keys, resulting from a bug in the Trojan's decryption routine. As a result, the Trojan will not reload when Windows is restarted.
Network services
* Connects to "152.7.24.186" on port 8080 (TCP).
* Connects to IRC Server.
* Connects to "24.210.44.45" on port 8080 (TCP).
Process/window information
* Attemps to open C:\WINDOWS\TEMP\\130.bat NULL.
* Attemps to open C:\WINDOWS\SYSTEM32\$sys$drv.exe NULL.
* Attemps to open C:\WINDOWS\TEMP\\181.bat NULL.
* Creates a mutex $sys$drv.exe.
These modifications will not be visible to anyone impacted by the Sony Rootkit and may likely not be detected by antivirus scanners. Fortunately, those who have not played a Sony BMG music CD on their PC will be able to manually examine their system for the aforementioned changes and/or use up-to-date antivirus to detect them.
Those who suspect they may have the Sony DRM cloaking technology installed should consult the article Rootkits Revealed for tips on ferreting out rootkitted malware.
Also see:
