Security → Handyperson's guide to removal of SONY ROOTKIT!

BEFORE you read this, it's important to note that we're EXTREMELY busy right now with far more serious issues than the media's attention to the "SONY ROOTKIT" phenomenon, and that handling panicked people over this has consumed huge amounts of our time already to the detriment of more important issues. As we near release of BOClean 4.20, all of our attention is focused on that right now. Emails regarding this issue or instant messages will have to wait until AFTER Thanksgiving. Therefore, should you respond to this offering, please don't be offended if I don't have time to respond to those at this time. I encourage further discussion and possible corrections of the advice offered below, but am not in a position to assist owing to far more pressing urgencies. I hope folks will understand the difficult situation that I'm in.

Having found some time to go back and play with the SONY rootkit has been difficult to come by, and our attorneys have been unable to obtain a definitive answer from the justice department as to our creating a specific solution to the SONY "rootkit" problem. However, I have been told that I have a right to my opinion, and as long as I express this as "my opinion" and not that of our company, (I did this on my own time) I should be free to share a chuckle with folks as to the pathetic nature of this "rootkit." And in doing so, I can explain WHY I think it's pathetic as well! So let's have at it, folks can learn from my rant to follow how to take care of this all by themselves!

The "rootkit" indeed hides the uber-secret "$sys$filesystem" folder, which is a subfolder of the WINNT (NT and 2000) or WINDOWS (XP) "SYSTEM32" folder. The rootkit sadly, is UNABLE to hide itself from being accessed directly from a COMMAND PROMPT (found in the start menu/programs/accessories list).

So for chuckles, I opened a COMMAND prompt. I then went (on an XP box, NT and Win2000 would be a WINNT rather than WINDOWS) ...

CD\WINDOWS (enter)
CD SYSTEM32 (enter)
CD $sys$filesystem (enter)

Low and behold, on a machine infected by this, I got a PROMPT with $sys$filesystem present! (on an UNinfected machine, you'd get an error of "not found." Surprisingly, it let me HAVE it!) If this directory doesn't show, then you're NOT infected! You're finished right here.

IF $SYS$FILESYSTEM exists, then the first thing we'll want to do is lose the "cloak" and that is a file called ARIES.SYS ... this command will get rid of it, you can successfully delete it while it's running. It's NOT protected! Heh. This command loses the cloak:

DEL ARIES.SYS (enter)

Once you've done this, REBOOT!

At THIS point, you have done what everyone else (including antiviruses, Microsoft and everyone else) is going to do as their FINAL solution - you have successfully "uncloaked" and prevented any further possible exploits of your system. Color it done unless you're brave enough to continue. In going further, a COMPLETE removal is necessary. Here's what I discovered ...

REMOVING THE REST OF SONY'S "TREAT"

After you've rebooted, some services (which are not really services) will run again, particularly the $sys$DRMServer. Trying NET STOP won't work as it's not REALLY a service. You'll get a system error. However, you can now SEE the files when you use the "My computer" file explorer and you'll be able to SEE the "$sys$filesystem" folder now under the SYSTEM32 folder.

You should now be able to move to the formerly-hidden $sys$filesystem folder and it should now be visible after the reboot.

BEFORE you do anything else, you now have to consider if you're brave enough to do manual registry editing, because if you remove anything else and don't clean up the registry, your CDROM and possibly your hard disk(s) *WILL* vanish if "crater.sys" and "$sys$cor.sys" are removed. So if you're uncomfortable with registry editing, STOP NOW! You're DONE!!!

If you do the CD\WINDOWS, CD SYSTEM32, CD $sys$fileystem trick again, you will note that two things that weren't there before will now appear. Those are $sys$DRMServer and $sys$parking. LEAVE THEM ALONE! And there are MORE back in the SYSTEM32 folder. Leave THOSE $sys$*.* files alone for now ALSO!

The $sys$DRMServer.exe file will still be running and cannot be stopped without registry removal and another reboot. So ON to the next step(s) ...

NEXT STEP - REGISTRY CLEANING

Because the rootkit modifies registry permissions, a TEMPORARY trick needs to be applied in order to be successful.

FIRST ... run REGEDT32 (*NOT* REGEDIT) and navigate down to the HKEY_LOCAL_MACHINE key. RIGHT click it and select PERMISSIONS from the dropdown menu.

Click on "everyone" and make sure that FULL CONTROL is checked before proceeding. After you're done, be SURE to come back here and UNcheck it or your machine will be at risk. This elevated privilege is required in order to successfully edit and/or delete the remains, and it's CRUCIAL that you reset this after you're done!

Use the FIND item to locate anything that matches "$sys$" ... there's going to be a PILE of them all over the place, and failure to carry out this portion of it will cause drives to no longer work!

Using FIND, have it search for $sys$ ... certain registry entries can simply be deleted, certain ones must be EDITED, and here's where it gets tricky ...

First things you'll encounter are under the HKEY_LOCAL_MACHINE files, under the SOFTWARE key ... you'll want to delete outright these three:

$sys$reference (right click, DELETE!)
ECDDiskProducers (byebye)
SONYBMG (hasta la vista!)

Then, as you continue to FIND more $sys$ items, BE CAREFUL! Some can be deleted, SOME HAVE TO BE EDITED!!! To find the next, simply hit the F3 key!

In "WBEM\WDM" you'll spot some UUID's and there will be crater.sys. Any such references that DON'T have IMAPI are safe to just delete. This will be the first one you encounter after the above. DELETE. Same for the one in WBEM\WDM\DREDGE ... DELETE!

This qwap also copies itself all over the "CurrentControlSet" keys, and does up ALL of them.

So next stop will be under various "ControlSet00x" keys. You'll stop at the "CoDeviceInstallers" ... for each "$sys$caj.dll" you encounter. On OUR lab rats, it was the first UUID entry and the last. Look for the $sys$caj.dll entry and remove ONLY that particular value for a UUID where it appears and do NOT touch anything else in there!

NEXT STOP IS THE TRICKY!

Next stop is the "Enum" area - IDE or SCSI depending on what you have. HERE, we need to EDIT rather than DELETE! Look for an entry on the right side that says "LowerFilters" ... DO NOT DELETE!!!!! You need to double-click on the "LowerFilters" name. That will bring up an EDIT screen.

In this EDIT screen, what you need to do is move the cursor up where it says "$sys$crater" and CAREFULLY remove that, and pull any lines below it up. NORMALLY the line below will be IMAPI.SYS but could be something else, and more following. The OBJECTIVE is to remove the $sys$crater ONLY and then pull the line below it up to where the crater.sys WAS. Objective is to leave everything ELSE intact and JUST lose $sys$crater!

Should you encounter a "LowerFilters" that *ONLY* contains "$sys$crater," then you can DELETE it, but usually the "LowerFilters" has another item. Make certain that the top item isn't blank!

Next stop in your search will result in "UpperFilters" and here, what you want to remove is "$sys$cor." If "$sys$cor is the ONLY entry, then you can delete that item. If there is anything ELSE in there, then you must edit OUT the "$sys$cor" as was done with "$sys$crater." Each system is different and thus the uncertainty here. You ONLY want to get rid of "$sys$crater" and "$sys$cor" and LEAVE EVERYTHING ELSE INTACT or your drives will vanish.

$sys$cor will show up in other places, under the name "ActiveChannel." You can DELETE that whole value too. ANY place where only $sys$cor or $sys$crater shows up as a value can be DELETED as LONG AS there are no other "dependencies" listed. If there are other items, you MUST edit OUT the $sys$whatever and LEAVE THE OTHERS INTACT by removing the entire line which contains either $sys$crater or $sys$cor ...

NEXT STOP, "ROOT" entries! You'll see the following KEYS which need to be deleted:

LEGACY_$SYS$ARIES
LEGACY_$SYS$DRMSERVER
LEGACY_$SYS$LIM
LEGACY_$SYS$OCT

Just delete the entire KEYS themselves, so the above are GONE.

NEXT STOP, "SERVICES" entries! You'll see the following keys next:

$sys$aries
$sys$cor
$sys$crater
$sys$DRMServer

Same deal as above ...

That completes the "CurrentControlSet" ... expect to go through a repeat of the above for EACH user's individual "ControlSet" until you've done them all. How many depends on how many "users" on the machine.

Once done, BE SURE TO GO BACK and CORRECT the security change to the registry that was necessary to do this - REMOVE the checkbox for "everybody" that granted "everyone" "FULL CONTROL." You DON'T want to leave that permission granted!

And finally, REBOOT!

When the system comes back up, GO to that $sys$filesystem folder and delete the remainder - you'll now have permissions to do so. And finally, wipe THESE files from your SYSTEM32 folder:

$SYS$CAJ.DLL
$SYS$UPGTOOL.EXE

You're done!

PREVENTING REINFECTION

1. Disable "autostart" (google for how)
2. Install BOClean (sorry, I *work* for a living and if I didn't, I wouldn't have KNOWN this answer.)

Permission granted to redistribute and expand upon, please include the original source though - Kevin McAleavey (kevinmca at nsclean.com), makers of BOClean. If I'm going to be sued for this, the least I've earned is credit for the answer.

And once again, I apologize if I'm unable to find time to respond to folks until after Thanksgiving, we're INSANELY busy here with far deeper things than this. Hopefully, if there are unanswered questions, some of the "helpers" who have already done this can step in and assist if folks delete the wrong thing and their CDROM is no more. Just a matter of CORRECT registry editing if that's the case.

(edited a second time, MORE typos fixed)

Wow, thanks a million for that excellent detailed run-down.

Great writeup, Kevin.

I had the opportunity to play with (as in infect my PC with) a copy of this DRM from the Neil Diamond "12 Songs" CD yesterday. I used steps similar to yours to clean off my system. I did a couple things differently though:

1. Instead of changing the registry permissions, and having to change them back, I used the "at" command (task scheduler) to launch regedit under the local SYSTEM account. This allows the keys to be deleted without changing permissions.

2. When going through my registry, I found that ActiveService under HKLM\SYSTEM\[CurrentControlSet|ControlSet001|ControlSet002]\Enum\PCIIDE\IDEChannel\(bunch of numbers)\Control was changed to $sys$cor on my secondary IDE channel. Since the primary was set to atapi, I reset this one to atapi as well.

Also, somewhat OT, but I found that I had to accept the EULA for anything including the rootkit to be installed, contrary to some other's postings here that indicated that it would install even on a decline, or on sitting on the EULA window.

What's the difference between regedit and regedt32? I usually just use REGEDIT.

Regedt32 lets you edit permissions on registry keys, regedit doesn't (in W2K anyway, not sure about in XP).

THANKS, all! Been 31 hours "tonight" and need to go horizontal. After all the research I did on this, I was DAMNED if I was going to let lawyers stop me from at least sharing what I learned, even if I can't release CODE that would just do this for those who don't have our stuff. Angered me to no end having all this done last weekend and being told in that old MS-DOG reality, "working, please wait ..."

In XP, and above, MS has merged the two
»support.microsoft.com/de ··· s;141377

Cudni

Is the Sony rootkit able to install on a W98SE??

Don't mind me - to MY mind, things like this should be automatic - at least STOPPING them, even if our forte in being small isn't cleaning up useless, dead entrails. Reality is that a LOT of that junk can sit in the registry, and the file system SO LONG AS it never RUNS again. "Perfect" cleanups of garbage are best left to "scanners," Our job is to just STOP it.

I would have gone the DACL and SID tricks route but was afraid that this was already too complex for most folks, and preferred to go for that which is a little less "obtuse" to "non-admins." At least in REGEDT32, they can "See" this stuff. Just my own mindset, Nancy's 80 year old mother surfs the net and is certainly not someone you want editing a registry.

That's who *I* "work" for ... the less people have to do or think about, the saner *I* am. (grin)

Yes indeed (I still run Win95! Everything we do has to be happy on ... well ... Win 3.1 where possible).

Only difference is that the cloak doesn't work on 9X because their VXD for it is broken. We handle Win9x too.

The stuff is visible though in the registry, all it requires for Win9x is deleting the aries.sys file and in particular, $sys$ari.vxd ... that's the "rootkit" in 9x. Lose that, reboot and happy days!

Now if I can just find that W98 vs XP thread.

This is incorrect, and I think it's a lot simpler to deal with it correctly.

ControlSets are not related to any user.

The various control sets are used by the last-known-good mechanism to recover from a configuration that's so borked up the system cannot run.

CurrentControlSet is a symbolic link to one of the ControlSetNNN keys, and it's the only one that's used.

The rest are just sitting there unused and won't do you any harm. There's no need to modify them, and in fact, I'd suggest that you don't do that - you're jeopardising your ability to recover from any editing mistakes you make in CurrentControlSet.

After having made all the changes suggested by Kevin, you should reboot and log in. At that point, the modified (Sony-free) CurrentControlSet will be declared to be the "last known good" configuration, and you're done. Old entries in other control sets aren't going to come back and haunt you, even if you have to use LastKnownGood for some reason in the future.

Heh. Like I said, for my REAL machine, I use a PRE-Internet Explorer (the copy that came with "Hover") version of Win95 with my trusty old TRUMPET Winsock ("stronger than oak and twice as thick" to instrusion) on this old tired box I use for "company business" ... none of the old (or new) exploits work here because there's no "browser/OS integration" in THIS particular box.

I predicted the future in 1997, which is why Microsoft don't like me very much ... and thus the "professional antagonism." Humors me to no end ... But if you check out old history, and head for the bottom where I warned what would become of "Browser/OS integration" which didn't exist at the time, you'll see why I'm on Microsoft's chitlist ... heh.

»www.ftc.gov/bcp/privacy/ ··· lean.htm

And even more curious, Judge Jackson in his "finding of violation of antitrust" quoted the issues we raised as a basis of his decision (page 86? 87? Somewhere around there) that "harm was done" on a basis of the changes to core code to "distribute internet functions so as to be inseparable."

Only pointing this out as a basis of my awareness of *WHY* HJT logs exist.

Was about to call it a night, but let's go back here for a second. ANY "control set" that is logged into will cause the fuzza to go copy itself to the OTHERS ... Our OWN answer to nasties of course, is the "current" ... however, the other "controlsets" will bear the mark of satan.

I was more concerned about the "I'm in here cleaning, let's get rid of it ALL" and if I see ANY of it, I'll complain. Heh. While you're correct, I was thinking more of the tin-foil brigade. I'm also one of those "it ain't running, it can't run, it cannot be a threat anymore even if some scanner finds the entrails and does that "kitty with a mouse butt, it's a PRESENT! LOVE me!" thingy. Heh. But generally, folks want it GONE and seemingly prefer (so I see here) to go through all sorts of rituals to "make it gone." I'm merely trying to honor the apparent "rituals."

So yeah, a bit anal, but the procedure I self-tortured over does work the best for most people. And after you do the first one, it's like ... "been there, done that, know this" and folks feel better. But considered what the "norms" are for "gotta futz registry, w00t!" and went for it. (grin)

But like I said, if I didn't wear FULL METAL HELMET, there'd be folks wanging that I'm an asshat and don't know what I'm talking about should I suggest not to do *every* registry entry there might be. Again, "expected" ritual honors to the ghods of registry items lost. Heh. There's always a price on "free advice" and it tends to be charged to the giver. Moo.

(edit - refining choice of words in descriptions)

The sharks may not sleep well tonight but the general public certainly will.. and after all that's what we're all about.
Moo too.

Since this article has filtered down to a number of places that I don't have access to and since this seems to be the common reference, a few "expert opinions" offered by some others that don't do this to the degree that I do might put some folks into a position of being scared off. Therefore, wanted to stop back for a minute and further explain a few things in order to reduce people's concerns. I stand by the original directions and shall explain a few misguided concepts that I've seen on SpyBot's site and a few others.

In his original article, Russinoff (sp?) had mentioned that the "cure" provided by SONY was a truly bad idea in that THEIR solution actually tried to stop the ARIES.SYS, and in doing so could cause all sorts of bad things to potentially happen. Referring back to my instructions above, I had noted that the ARIES.SYS file is *not* protected and therefore you can simply delete it. This REMAINS correct. AND safe!

By deleting the file, and then rebooting, you are NOT stopping the so-called "service." It is already loaded into memory and executing from there. The file from which it starts is actually unprotected and irrelevant and therefore can be safely deleted without any impact on the system. Several people appear to be under the misimpression that we're stopping it, and just wanted to clarify that we're merely making it _missing_ upon the next reboot. And if it's not there, it can't start in the first place and therefore when you proceed after that reboot, no potential harm can occur. So the original instructions are quite safe to do.

I also wanted to explain that there is a way to avoid having to edit the REGISTRY as well if you leave TWO of the files in the package behind and DON'T delete them. The two files to leave INTACT if you don't feel up to registry editing are:

crater.sys and
$sys$cor.sys (this latter one is in system32\drivers)

The above two files will do nothing beyond passing their hooks back to the rest of your driver stack since there is no longer the DRMSystem executable to "talk to" after you've done your removals.

However, you DO have to do a process killing on two other files in order to delete those as well, and they're quite stubborn:

C:\WINDOWS\CDProxyServ.exe and
C:\WINDOWS\SYSTEM32\$sys$filesystem\$sys$DRMServer.exe

Once the above two have been shutdown and removed, then those remaining two files that are part of the Lowerfilter and Upperfilter in the registry can stay, and you won't have to edit the registry. Perhaps the free "killbox" utility will handle it, I'm used to our BOClean just handling this. But with those two gone, the remaining crater.sys and $sys$cor.sys are quite harmless for those who wish to avoid editing the registry.

Preferably, my original directions are what you want to do in order to completely rid the machine of this. However, for those who are timid (and for good reason) about editing the registry, this alternative means will get the job done and put the bad boy to sleep without having to do all of that registry editing as a result of the rest of this intrusion being removed. It's an acceptable "shortcut" for those so inclined. The remaining two pieces become inactive without their "hosts" and won't interfere with proper operation if left behind.

I know the vast silent majority of us do appreciate what you do Kevin, including this thread. Its good to know that somebody will make the effort.

This thread is a tremendous contribution Kevin. I also truly appreciate your efforts.

I also really appreciate your work, and I am glad that you and Nancy are around. I hope you both stay the course for a long time.

May I add my most warmest thanks to you Kevin !!!

I really do hope that things will not have bad repercussion.
(I know nothing about US-laws....).

Most warmest regards !

I think what you have done is AWESOME. Mahalo nui loa!

Forget the jealous naysayers and meddlesome doubters here. Be it known that not all of us agree with them and are, at times, very ashamed of what transpires here when you post. You and Nancy take care, hang in there, and know that most of us care about what you are doing.

I didn't know about your history with Microsoft nor your prediction regarding the perils of the integration of browser and OS. Very interesting and sadly you were right on the mark.

Just wanted to say, THANKS all! Didn't intend to turn this into some sort of love-fest - I posted it here because I suppose I kinda owe some penance for "touting our stuff" but then when you spend 14+ hours a day every day doing something, it's hard to see past what you do all the ding-dong time.

I figured by putting it here, the two pieces (first and followup) might be distributed elsewhere in order to help. Sadly this particular "hot item" is just one of the many things we wade through here daily, and so when we did this a while back, didn't pay much attention. With many nasties each day, ya just tend to figure out "how do we stop this?" and move on to the next. Since I write "automatics" I don't obsess from the standpoint of being all by my lonesome with a problem - there's just too many of them.

But given the panic and no viable solutions, went back through my own notes and sat with the toy far longer than I normally would to arrive at what I offered here. And again, because lawyers wouldn't let me just "go ahead and do it" and because there could be negative repercussions for our own legal standing, I couldn't just write up a fast "general distribution" thing without risking what we do for our own customers. My own anger at the situation was what caused me to go back and work it step by step.

Wasn't altruism, I was just PEEVED at how American and International law is stacked up against you when the "trojan" is "intellectual property protection" and "copyright stuff" and that makes WHATEVER is done in the name of the "DCMA" ("Digital Millennium Copyright Act" - dunno why the C and M are crossed, but must be the law) as well as the International "WIPO" treaty ("World Intellectual Property Organisation") which precludes "messing with copyright stuff" even if it's downright evil in its poor design.

But yes, the laws ARE that stupid. There needs to be a mechanism of course to protect the hard work of artists (not so the record companies) but there also needs to be limits on what can be done in the name of that "protection." XCP not only went TOO far, it did it poorly. I saw no other option but to compose this "personal rant" as the only solution I could provide that doesn't involve just saying "our stuff does this." There oughta be a law. Oh wait, that's what got us *IN* this mess. BAD sausage-crafting.

THANKS all!

I recommend Boclean both to businesses and individuals based on its price, effectiveness and stellar support.

I do not base that advice on outdated marketing tactics that are frequently employed where the app is glorified and mentioned at any cost.

You wrote a brilliant guide but couldn't hepl yourself placing a plug for an already great app. I like your sig as it says all and that is all you need.

Cudni

Enough please. Stay within the subject of this thread please.

Ummm ... you responded to ME here, and I don't note any of MY messages missing though your "moderation" makes it appear as though I've done something wrong. Since I haven't stored the two missing messages, could you please clarify this?

Otherwise, I feel compelled since you appear to be blaming ME for whatever happened here to go back to the information I provided here and "upon reflection, I wish NOT to post." While I'm all for your idea of decorum, I don't want to be made to appear to be the culprit. This information is on numerous other locations.