Updated: February 13, 2007 11:47:04 AM
Type: Other
Version: n/a
Publisher: First 4 Internet Ltd.
Risk Impact: High
File Names: aries.sys
Systems Affected: Windows

Behavior


SecurityRisk.First4DRM is a rootkit that hides any processes, files, folders, or registry subkeys that start with the following string:

$sys$

Note:

  • This rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software.
  • Customers running Norton Internet Security 2005 AntiSpyware Edition, programs from the Norton 2006 line of products, and Symantec AntiVirus Corporate Edition 10.x can make use of the product's remediation functionality to remove this risk.

Symptoms


Any processes, files, folders, or registry subkeys that start with or are renamed to start with the following string are hidden from view:

$sys$

Transmission


This security risk is part of the XCP software present on some Sony BMG content-protected music CDs. When a CD containing this software is started from a CD-ROM, the security risk is automatically installed on the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version January 09, 2018 revision 004
  • Initial Daily Certified version November 08, 2005
  • Latest Daily Certified version January 09, 2018 revision 008
  • Initial Weekly Certified release date November 08, 2005

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:47:04 AM
Type: Other
Version: n/a
Publisher: First 4 Internet Ltd.
Risk Impact: High
File Names: aries.sys
Systems Affected: Windows


When SecurityRisk.First4DRM is executed, it performs the following actions:

  1. Copies itself as the following file:

    %System%\$sys$filesystem\aries.sys.

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Creates the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\$sys$aries

    which loads the risk as a device driver when the compromised computer is started.

  3. Hides any processes, files, folders, or registry subkeys that begin with the following string:

    $sys$

  4. Checks the name of all processes attempting to access these processes, files, folders, or registry subkeys. If the name of the process begins with the following string, it allows access:

    $sys$

    Otherwise, the risk prevents access to the process, file, folder, or registry subkey.


Updated: February 13, 2007 11:47:04 AM
Type: Other
Version: n/a
Publisher: First 4 Internet Ltd.
Risk Impact: High
File Names: aries.sys
Systems Affected: Windows


Removal Tool
Symantec Security Response has developed a removal tool for SecurityRisk.First4DRM. Use this removal tool first, as it is the easiest way to remove this risk.

The tool can be found here: http://securityresponse.symantec.com/avcenter/FixRyknos.exe

The current version of the tool is v1.0.1 and will have a digital signature timestamp equivalent to Thursday, November 10, 2005 3:57:31 PM PST

Note:
The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.

It has been reported that a computer with this security risk on it may also have other security risks installed. Symantec recommends that the following steps be carried out:

  1. Run the Removal Tool.
  2. Update the definitions by starting the Symantec program and running LiveUpdate.
  3. Run a full system scan to detect any other security risks on the computer.
  4. If the scan detects any further security risks, check for removal tools at http://securityresponse.symantec.com/avcenter/security.risks.tools.list.html
  5. If there are no removal tools for the security risks that are detected, follow the manual removal instructions listed in the risk report.

Manual Removal

WARNING: Removing this security risk manually may damage the compromised computer's operating system and may violate the manufacturer's end-user license agreement.

Symantec Security Response strongly recommends installing the software update provided by the manufacturer. The latest version removes the security risk from the compromised computer and replaces it with an updated version of the XCP software. This update is available at the following URL:

http://cp.sonybmg.com/xcp/english/updates.html