VirTool:WinNT/F4IRootkit.C

VirTool:WinNT/F4IRootkit.C is a kernel-mode rootkit distributed on certain Sony BMG audio CDs. These CDs use the Extended Copy Protection (XCP) technology developed by First 4 Internet Ltd (F4i).

 

To install the software from the CD, the user must be logged on to the computer with an account that has administrator privileges. When the user first inserts the CD and accepts the license agreement, the installer creates a service called $sys$aries and creates the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$aries. The installer creates a directory named $sys$filesystem under %windir%\System32 and drops a driver named aries.sys in the $sys$filesystem directory.

 

VirTool:WinNT/F4IRootkit.C hides certain Windows system resources that begin with "$sys$". This includes names of files, directories, processes, and registry settings. For example, the rootkit would hide a file with a name like $sys$myfile.exe. 

 

The rootkit hides Windows resources by intercepting certain Windows NT kernel-mode API calls. This includes calls to the following APIs: NtCreateFile, NtQueryDirectoryFile, NtQuerySystemInformation, NtOpenKey, and NtEnumerateKey. The rootkit scans the results returned by these API calls and removes any entry in the result that has the $sys$ prefix in the name. For example, if a user lists the contents of %windir%\System32, the rootkit examines the result returned from NtQueryDirectoryFile and removes any directory or file entry that begins with $sys$, so that the entry is not visible to the user.

 

Although VirTool:WinNT/F4IRootkit.C was originally intended to help prevent CD duplication, attackers can use the rootkit in other ways. For example, when the backdoor Trojan Backdoor:Win32/Ryknos infects a computer, it uses VirTool:WinNT/F4IRootkit.C to hide if the rootkit is already installed on the computer. For more information, see the encyclopedia entry for Backdoor:Win32/Ryknos.