http://www.foxnews.com/story/0,2933,175188,00.html

MSTERDAM — A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E Trojan virus to British e-mail addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down the firewall and gives hackers access to a PC.

The malware hides by using software that is also hidden — software which is installed on Windows-based PCs when consumers play Sony BMG's copy-protected music CDs.

"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley.

Sony BMG's spokesman, John McKay in New York, was not immediately available to comment.

Sony BMG, a joint venture between Tokyo-based Sony Corp. (SNE) and Gutersloh, Germany-based Bertelsmann AG, is distributing the copy-protection software on a range of recent music CDs by artists such as Celine Dion and Sarah McLachlan.

When the CD is played on a Windows personal computer, the software first installs itself and then limits the usage rights of a consumer. It only allows playback with Sony software.

The software sparked a class-action lawsuit against Sony BMG in California last week, claiming that Sony BMG had not informed consumers that it installs software directly into the "root" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.

Sophos said it would have a tool to disable the software later on Thursday.

The Sony BMG copy-protection software does not install itself on Macintosh computers or ordinary CD and DVD players.

It's a good thing the RIAA is suing all these file sharing people just to settle with them out of court; that way there's money to fund R&D for this innovative software.

It's a good thing the RIAA is suing all these file sharing people just to settle with them out of court; that way there's money to fund R&D for this innovative software.

Yaeh agreed.

Fucking retards. Glad I mainly buy used dvds and none from Sony.:D

At least it't happening to Celine Dion and Sarah McLachlan fans.

At least it't happening to Celine Dion and Sarah McLachlan fans.

Hey! Dont put Sarah McLachlan in the same catagory as that shreiking shrew Celene Dion.

Oh, and THANKS SONY! :applause: :roll:

Damn, I hope it doesn't mess up rootkit, because then I wouldn't be able to cheat in WoW. http://online.securityfocus.com/brief/34 :lol:

At least it't happening to Celine Dion and Sarah McLachlan fans.

Yup, now I hope Sony gets some real heat for this from the mainstream media, or at least a segment on some show.

XCP PROTECTED CDS
Trey Anastasio - Shine
Celine Dion - On ne Change Pas
Neil Diamond - 12 Songs
Our Lady Peace - Healthy in Paranoid Times
Chris Botti - To Love Again
Van Zant - Get Right with the Man
Switchfoot - Nothing is Sound
The Coral - The Invisible Invasion
Acceptance - Phantoms
Susie Suh - Susie Suh
Amerie - Touch
Life of Agony - Broken Valley
Horace Silver Quintet - Silver's Blue
Gerry Mulligan - Jeru
Dexter Gordon - Manhattan Symphonie
The Bad Plus - Suspicious Activity
The Dead 60s - The Dead 60s
Dion - The Essential Dion
Natasha Bedingfield - Unwritten
Ricky Martin - Life

Sony sued over copy-protected CDs
Sony BMG is facing three lawsuits over its controversial anti-piracy software.

Revealed in late October by Windows expert Mark Russinovich, the software copy protection system hides using virus-like techniques.

One class-action lawsuit has already been filed in California and another is expected in New York.

Digital rights group, the Electronic Frontier Foundation (EFF), is also gathering information from users to see if a case can be brought.

Court claim

The row erupted following Mark Russinovich's discovery that Sony BMG in America was using a so-called "root kit" to conceal the program used to stop some of its CDs being copied.

"Root kits" are being increasingly used by virus makers to hide their malicious wares deep inside the Windows operating system.

Sony BMG used a program called XCP created by UK firm First 4 Internet that employed similar cloaking systems to hide the proprietary media player used to play tracks on 20 CDs made by the music giant and sold in the US.

But since Dr Russinovich wrote about his discovery the row has snowballed and now has led to lawsuits being filed against Sony BMG.

XCP PROTECTED CDS
Trey Anastasio - Shine
Celine Dion - On ne Change Pas
Neil Diamond - 12 Songs
Our Lady Peace - Healthy in Paranoid Times
Chris Botti - To Love Again
Van Zant - Get Right with the Man
Switchfoot - Nothing is Sound
The Coral - The Invisible Invasion
Acceptance - Phantoms
Susie Suh - Susie Suh
Amerie - Touch
Life of Agony - Broken Valley
Horace Silver Quintet - Silver's Blue
Gerry Mulligan - Jeru
Dexter Gordon - Manhattan Symphonie
The Bad Plus - Suspicious Activity
The Dead 60s - The Dead 60s
Dion - The Essential Dion
Natasha Bedingfield - Unwritten
Ricky Martin - Life
One filed in Los Angeles by Californian attorney Alan Himmelfarb wants to stop Sony BMG selling more CDs protected by anti-copying software and seeks damages for Californians that have bought any albums protected this way.

According to a report in the Washington Post the lawsuit alleges that Sony BMG has broken three Californian laws. At the same time New York lawyer Scott Kamber is planning a class-action lawsuit for all Americans affected.

The EFF is also gathering stories from buyers of Sony BMG CDs protected with XCP. In a statement the organisation said: "We're considering whether the effect on the public, or on EFF members, is sufficiently serious to merit a lawsuit".

At the same time the Italian digital rights group, Electronic Frontiers Italy, has asked the nation's government to investigate Sony over its use of anti-piracy software.

A weblog documenting the unfolding controversy and calling for a boycott of Sony products has also been created.

When contacted a representative for Sony BMG in the UK referred all calls to its corporate headquarters in New York. A call to a spokesman in that office has yet to be returned.

Artist list

The EFF also released a partial list of all the CDs protected with XCP. The list includes popular artists such as Natasha Bedingfield, Celine Dion and Amerie. It also gave advice for ways to spot if a CD is XCP protected.

So far Sony BMG has not released a list of how many CDs are protected or how many have been sold. It has only said that "about 20" titles are protected with the controversial program.

However, the row does not appear to be denting interest in one of the CDs protected by XCP because at the time of writing Neil Diamond's 12 Songs album was the top seller on the Amazon.com website.

Anti-virus companies are starting to release software that can spot the XCP files. Symantec said it had made tools that can find the files but will not remove them.

Computer Associates said that it would be releasing a tool to completely uninstall the XCP program.

At the same time anti-virus firm Kaspersky Labs branded the XCP program spyware because it hides itself, could compromise security and can slow machines down.

Dr Russinovich has continued his investigation of the XCP software and has confirmed that when installed it can make a Windows computer more unreliable.

He also criticised Sony BMG for making it difficult to get hold of software that can uninstall XCP.

it can make a Windows computer more unreliable.
As a die-hard Mac user, I find that line priceless. :lol:

I agree MBE. You don't have these problems with Tiger.

If you put that CD in a Mac, if there were a Mac version, you would be prompted to enter a PW to allow an install at the root/kernel level.

You know who should be absolutely livid about this? Other than end users.

Microsoft.

You know who should be absolutely livid about this? Other than end users.

Microsoft.

Bill Gates has commented on it, I forget where the article is. He doesn't like it, obviously :-)