Content

XCP

Type
Program
SubType
-
Discovery Date
11/08/2005
Length
Minimum DAT
4624 (11/09/2005)
Updated DAT
5186 (12/14/2007)
Minimum Engine
5.1.00
Description Added
11/08/2005
Description Modified
11/17/2005 4:43 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution
 To prevent illegal copying of music, some recent Sony music CDs contain Digital Rights Management (DRM) software from the company First4Internet. This software gets installed with a music player provided on the CDs.  In order to hide the installation of this additional software, it drops a program ("XCP") that hides any file or process that starts with string “$sys$”. The behavior of XCP was observed on October 21, 2005 with the Van Zant CD.

More information of how to remove XCP is available at Sony website and http://updates.xcp-aurora.com/

With the latest DATs, McAfee detects, removes, and prevents reinstallation of XCP.  Please note that removal will not impair the copyright protection mechanisms installed from the CD.  There have been reports of system crashes possibly resulting from uninstalling XCP (http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html ).  System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself. 

Characteristics
A SonyBMG music CD is inserted in the CD player of a computer system running Microsoft Windows.  If the CD has the DRM software, the following EULA is presented:


Some excerpts of EULA are shown below.

  • "As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the SOFTWARE) onto YOUR COMPUTER .The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise."
  • install one (1) copy of SOFTWARE onto the hard drive of YOUR COMPUTER , solely in machine-executable form;
  • install one (1) copy of any APPROVED MEDIA PLAYER(S) contained on this CD onto the hard drive of YOUR COMPUTER, solely in machine-executable form
  • use the SOFTWARE and any APPROVED MEDIA PLAYER(S) contained on this CD to access the DIGITAL CONTENT on YOUR COMPUTER or on an APPROVED PORTABLE DEVICE”

Installation

  • The autorun feature of the CD starts a process called “go.exe” which is an enhanced installer by F4I. It installs the file $sys$DRMServer.exe, which is the main component for installing the XCP service.
  • $sys$DRMServer.exe creates a service named "$sys$aries" using file aries.sys located in the hidden folder %sysdir%\$sys$filesystem.The display name given to this service is “Network Control Manager Service”.
  • Creates HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
    $sys$aries
  • XCP hides processes, files and directories whenever the name starts with string “$sys$”. It also hides some specific registry keys that point to the path of these binaries.
  • Any random file created with a name that begins with “$sys$” will automatically get hidden.
  • This is a security risk as some virus scanners will not be able to detect or delete any malicious programs that take advantage of this cloaking.

NOTE: Heuristic detection was added to the 4612 DATs for files likely to be attempting to exploit the security hole created by XCP. Files matching this signature may be detected as New Malware.j

Manual Removal Instructions:

  • Run “net stop $sys$aries”
  • Delete %sysdir%\$sys$filesystem\aries.sys

Symptoms

  • Any file of folder with the name starting from $sys$ will get hidden.
  • Presence of file aries.sys in %sysdir%\$sys$filesystem folder.

Method of Infection

Currently this security risk is being distributed via Sony BMG music CDs that has content protection purchased from F4I.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Aliases

  • SecurityRisk.First4DRM (Symantec)
  • XCP.Sony.Rootkit (CA)

Characteristics

Characteristics -

McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution
 To prevent illegal copying of music, some recent Sony music CDs contain Digital Rights Management (DRM) software from the company First4Internet. This software gets installed with a music player provided on the CDs.  In order to hide the installation of this additional software, it drops a program ("XCP") that hides any file or process that starts with string “$sys$”. The behavior of XCP was observed on October 21, 2005 with the Van Zant CD.

More information of how to remove XCP is available at Sony website and http://updates.xcp-aurora.com/

With the latest DATs, McAfee detects, removes, and prevents reinstallation of XCP.  Please note that removal will not impair the copyright protection mechanisms installed from the CD.  There have been reports of system crashes possibly resulting from uninstalling XCP (http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html ).  System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself. 

Characteristics
A SonyBMG music CD is inserted in the CD player of a computer system running Microsoft Windows.  If the CD has the DRM software, the following EULA is presented:


Some excerpts of EULA are shown below.

  • "As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the SOFTWARE) onto YOUR COMPUTER .The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise."
  • install one (1) copy of SOFTWARE onto the hard drive of YOUR COMPUTER , solely in machine-executable form;
  • install one (1) copy of any APPROVED MEDIA PLAYER(S) contained on this CD onto the hard drive of YOUR COMPUTER, solely in machine-executable form
  • use the SOFTWARE and any APPROVED MEDIA PLAYER(S) contained on this CD to access the DIGITAL CONTENT on YOUR COMPUTER or on an APPROVED PORTABLE DEVICE”

Installation

  • The autorun feature of the CD starts a process called “go.exe” which is an enhanced installer by F4I. It installs the file $sys$DRMServer.exe, which is the main component for installing the XCP service.
  • $sys$DRMServer.exe creates a service named "$sys$aries" using file aries.sys located in the hidden folder %sysdir%\$sys$filesystem.The display name given to this service is “Network Control Manager Service”.
  • Creates HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
    $sys$aries
  • XCP hides processes, files and directories whenever the name starts with string “$sys$”. It also hides some specific registry keys that point to the path of these binaries.
  • Any random file created with a name that begins with “$sys$” will automatically get hidden.
  • This is a security risk as some virus scanners will not be able to detect or delete any malicious programs that take advantage of this cloaking.

NOTE: Heuristic detection was added to the 4612 DATs for files likely to be attempting to exploit the security hole created by XCP. Files matching this signature may be detected as New Malware.j

Manual Removal Instructions:

  • Run “net stop $sys$aries”
  • Delete %sysdir%\$sys$filesystem\aries.sys

Symptoms

Symptoms -

  • Any file of folder with the name starting from $sys$ will get hidden.
  • Presence of file aries.sys in %sysdir%\$sys$filesystem folder.

Method of Infection

Method of Infection -

Currently this security risk is being distributed via Sony BMG music CDs that has content protection purchased from F4I.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A