First Trojan using Sony DRM spotted

Martin Brinkmann
Nov 10, 2005
Updated • Apr 29, 2013

The first trojan using Sony's rootkit software to hide itself has been discovered by anti-virus companies. The

"Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory."

This new Trojan can only be detected by special software like the freeware product Rootkit Revealer. The trojan seems to be spread by fake emails asking people to verify their picture.

Update: There has been a lot of talk about Sony's Rootkit. What we know is that the company used the technology on about 20 different music CDs that it shipped to retail channels. This reduces the likelihood of misuse considerably, considering that users not only had to play one of those music CDs in their PC, but also get that Trojan on their system somehow.

Here is the email that was used to distribute the trojan.


Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly.

Can you check over the format and get back to us with your approval or any changes?

If the picture is not to your liking then please send a preferred one.

We have attached the photo with the article here.

Kind regards,

Jamie Andrews



The Professional Development Institute

And the attachment: Article+Photos.exe

A malicious IRC backdoor is then installed on the system which cannot be detected by normal security software if the Sony rootkit is running on the system.

The trojan then creates a startup key for itself in the Windows Registry, and connects to several IRC servers to wait for commands from the remote hacker. The malicious attacker can perform operations such as downloading, deleting or running files on infected machines without the user of the system ever knowing about it.

The trojan furthermore terminates processes of known security software to avoid detection and removal.


Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.