Malicious Software Encyclopedia: WinNT/F4IRootkit
Published:
December 7, 2005
WinNT/F4IRootkit is a kernel-mode rootkit used for copy protection on certain Sony BMG audio CDs. There are several versions of this rootkit. The rootkit hides certain Windows system resources, including files, processes, and registry settings. The rootkit can be used by attackers to hide malicious content on the computer.
On This Page
Threat Overview
| Class/type | Trojan - Rootkit-Stealth
|
| Discovered | October 31, 2005 |
| Circulating | Yes |
| Affected operating systems | Windows 2000
Windows XP
Windows Server 2003
|
| Affected software |
Not specified
|
| Infection rating | Medium |
| Recovery difficulty | Moderate |
| Damage rating | Medium |
| Transmission rating | Medium |
Technical Analysis
WinNT/F4IRootkit is a kernel-mode rootkit distributed on certain Sony BMG audio CDs. These CDs use the Extended Copy Protection (XCP) technology developed by First 4 Internet Ltd (F4i).
To install the software that is on the CD, the user must be logged on to the computer with an account that has administrator privileges. When the user first inserts the CD and accepts the license agreement, the installer creates a service called $sys$aries and creates the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$aries. The installer creates a directory named $sys$filesystem under %windir%\System32 and drops a driver named aries.sys in the $sys$filesystem directory.
WinNT/F4IRootkit hides certain Windows system resources that begin with "$sys$". This includes names of files, directories, processes, and registry settings. For example, the rootkit would hide a file with a name like $sys$myfile.exe.
The rootkit hides Windows resources by intercepting certain Windows NT kernel-mode API calls. This includes calls to the following APIs: NtCreateFile, NtQueryDirectoryFile, NtQuerySystemInformation, NtOpenKey, and NtEnumerateKey. The rootkit scans the results returned by these API calls and removes any entry in the result that has the $sys$ prefix in the name. For example, if a user lists the contents of %windir%\System32, the rootkit examines the result returned from NtQueryDirectoryFile and removes any directory or file entry that begins with $sys$, so that the entry is not visible to the user.
Although WinNT/F4IRootkit was originally intended to help prevent CD duplication, attackers can use the rootkit in other ways. For example, when the backdoor Trojan Win32/Ryknos infects a computer, it uses WinNT/F4IRootkit to hide if the rootkit is already installed on the computer. For more information, see the encyclopedia entry for Win32/Ryknos.
How to Prevent Infection
To avoid infection by WinNT/F4IRootkit, do not install software from CDs that are known to include the rootkit. Consult Sony BMG and First 4 Internet Ltd for more information.
How to Tell If Your Computer Is Infected
There are no readily apparent indications of infection by WinNT/F4IRootkit. However, your computer is probably infected by this rootkit if the file aries.sys is in a folder named $sys$filesystem under the Windows system directory.
To check for the presence of aries.sys
Click Start, and click Run.
In the Open text box, type: cmd
Click OK. A command-line shell appears.
At the command prompt, type: dir %windir%\System32\$sys$filesystem\aries.sys
Press Enter. The system displays the name aries.sys if the file is present. Otherwise, the system displays "File Not Found".
How to Recover from Infection
Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:
Manual RecoveryIt is best to use up-to-date antivirus software to remove WinNT/F4IRootkit from your computer. You can scan your computer for WinNT/F4IRootkit and other malicious software from the Windows Live Safety Center Web site.
To scan your computer for malicious software from the Windows Live Safety Center
Open an Internet Explorer browser window.
In the address bar, enter the following URL: http://safety.live.com/site/en-US/default.htm
Click Full Service Scan.
Accept the Service Agreement if you are prompted to do so.
Click Install Now.
Select Quick Scan or Complete Scan.
Alternatively, after December 13, 2005, you can use the Microsoft Malicious Software Removal Tool to remove WinNT/F4IRootkit from your computer. For more information about using the Malicious Software Removal Tool, visit http://www.microsoft.com/security/malwareremove/default.mspx.
Transmission Methods
| Method | Description |
|---|
| File Copy | Rootkit is copied to the computer when a user logged on with administrator privileges inserts a Sony BMG audio CD containing the rootkit and accepts the license agreement. |
Payload Information
| Payload type | Trigger | Description |
|---|
| Compromises Security | A user logged on with administrator privileges inserts a Sony BMG audio CD containing the rootkit and then accepts the license agreement. | Hides certain Windows system resources that begin with "$sys$", such as names of files, directories, processes, and registry settings. |
| Creates files | A user logged on with administrator privileges inserts a Sony BMG audio CD containing the rootkit and then accepts the license agreement. | Drops aries.sys at %windir%\System32\$sys$filesystem\aries.sys. |
Modified Registry Entries
| Added registry entries |
|---|
| Key | |
| Value name | |
Changed Services
Dropped Files
| Path | %windir%\System32\$sys$filesystem\aries.sys |
