- Servers
- Desktops
- Laptops
- Tablet PCs
- PDAs
- Smart phones
- Digital cameras
- Camcorders
- Printers & multifunction devices
- Scanners
- Copiers
- Monitors & projectors
- Hard drives & burners
- Peripherals
- Productivity
- Accounting & finance
- Data management
- Graphics & publishing
- Web publishing
- Operating systems
- Security & utilities
- Downloads & trial software
- Handheld software
- Instant messaging
- Cell phones & plans
- Voice over Internet
- Telephones
- Routers & gateways
- Wireless networking
- Network adapters
- Internet access
- Web hosting
- Domain search
- Hotspot Zone
- Desktops
- Laptops
- Servers and storage
- PDAs
- Cell phones
- Monitors & projectors
- Printers
- Networking and wireless
- Security and utility software
- Productivity software
- Access, hosting, and services
- All business buying guides
Rob Vamosi's
award-winning
column on Internet threats and how to counter them
Delivered Mondays
CNET Security Center: Your complete source of antivirus and Internet security information.
Bkdr_breplibot.c is one of several variations that use the Sony DRM root-kit technology to hide their presence.
By Robert Vamosi (November 10, 2005)
What it does: Attempts to open a backdoor on TCP port 8080
Means of transmission: Spam e-mail
How to recognize: E-mail mention use of photo in a magazine with an attachment labeled article_december_3621.exe.
Who is at risk: Windows users who may have unknowingly installed Sony DRM software when playing a Sony CD.
How it works
Breplibot.c arrives as e-mail with the following message or a similar one:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
"The Professional Development Institute"
**********************************************
The attached file is named article_december_3621.exe and is 10,240 bytes long.
When executed, Breplibot.c copies itself to the Windows system directory as $SYS$DRV.exe, however malicious files with the string $sys$ may be hidden from view because of the presence of Sony DRM software already on the system.
Breplibot.c creates the following registry entries:
[HKEY_LOCAL_MACHINE]
WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj"="$SYS$DRV.EXE
[HKEY_LOCAL_MACHINE]
WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj"="$SYS$DRV.EXE
According to Trend Micro, WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj corresponds to Software\Microsoft\Windows\CurrentVersion\Run
The backdoor component of Breplibot.c then tries to connect to one of the following IRC servers.
68.101.14.76
24.210.44.45
67.171.67.190
35.10.203.93
152.7.24.186
Once connected, Breplibot.c opens TCP port 8080, joins the IRC channel #sony, and waits for additional instructions.
Prevention
Sony BMG has a site with instructions for removing its Sony DRM software from your PC. The Electronic Frontier Foundation has posted a list of Sony CDs known to install the Sony DRM software.
Removal
A few antivirus software companies have updated their signature files to include this threat. For more information, see Symantec and Trend Micro.
