RookitRevealer findings.

Schalldampfer · 11-10-05, 08:03 PM

After hearing so much about the Sony's DRM troubles, I thought I'd give the RootKitRevealer a try, and this is what it found:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Rei nstall\€ 10/16/2005 6:08 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf 40 11/10/2005 4:45 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\User Name\Local Settings\Temp\plugtmp\Map.xml 11/10/2005 7:45 PM 14.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\User Name\Local Settings\Temp\plugtmp\parameters.xml 11/10/2005 7:45 PM 569 bytes Visible in Windows API, but not in MFT or directory index.

But, since I'm a complete newbie at this... I don't know what kind of action I should take. Advices will be greatly appreciated. Thanks.

Captain Newbie · 11-10-05, 08:15 PM

This article has very complete information on the Sony DRM rootkit.

Schalldampfer · 11-10-05, 08:57 PM

Quote:

Originally Posted by Captain Newbie

This article has very complete information on the Sony DRM rootkit.

Thanks for the article, but I'm looking for some help on my system, and I have no Sony music CD's that are recent.

klingens · 11-11-05, 01:44 AM

No, you don't have a rootkit installed.

Schalldampfer · 11-11-05, 08:38 PM

Thanks for the assurance, Klingens, but how did you find that out?

klingens · 11-12-05, 01:52 PM

For starters, none of the displayed file is an executable. No driver in there either. And tmp files which are visible from DosFindFile but not in the MFT, are files which are currently open, but not saved/closed before. Especially since they're in temp folders...
And it's really hard to hide data in registry keys that are 0 bytes in length.

Last but not least: a rootkit is bigger than 15kB over all.

Any more questions?

11-10-05, 08:03 PM	Thread Starter #1
Schalldampfer Member Join Date: Sep 2004 Location: Under a ceiling.	RookitRevealer findings. After hearing so much about the Sony's DRM troubles, I thought I'd give the RootKitRevealer a try, and this is what it found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Rei nstall\€ 10/16/2005 6:08 PM 0 bytes Key name contains embedded nulls (*) HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf 40 11/10/2005 4:45 PM 0 bytes Hidden from Windows API. C:\Documents and Settings\User Name\Local Settings\Temp\plugtmp\Map.xml 11/10/2005 7:45 PM 14.88 KB Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\User Name\Local Settings\Temp\plugtmp\parameters.xml 11/10/2005 7:45 PM 569 bytes Visible in Windows API, but not in MFT or directory index. But, since I'm a complete newbie at this... I don't know what kind of action I should take. Advices will be greatly appreciated. Thanks.
	QUOTE Thanks

11-10-05, 08:15 PM	#2
Captain Newbie Senior Django-loving Member Join Date: Jan 2004 Location: Right seat with a bored "don't kill me" expression	This article has very complete information on the Sony DRM rootkit. __________________ B.S. Computer Science, B.A. Political Science \| Commercial Pilot Airplane Single and Multiengine Land, Instrument Airplane "And, while with silent lifting mind I've trod The high untresspassed sanctity of space Put out my hand, and touched the face of God." Strong * Focused * Safe Apple Mac Pro 4,1, Two Nehalem Xeons 2.26GHzx4 (Hyperthreaded), 12 GB DDR3 FBDRAM \| MacBook Pro 15" (2009)
	QUOTE Thanks

11-11-05, 01:44 AM	#4
klingens Member Join Date: Apr 2002 Location: Xanadu	No, you don't have a rootkit installed.
	QUOTE Thanks

11-11-05, 08:38 PM	Thread Starter #5
Schalldampfer Member Join Date: Sep 2004 Location: Under a ceiling.	Thanks for the assurance, Klingens, but how did you find that out?
	QUOTE Thanks

11-12-05, 01:52 PM	#6
klingens Member Join Date: Apr 2002 Location: Xanadu	For starters, none of the displayed file is an executable. No driver in there either. And tmp files which are visible from DosFindFile but not in the MFT, are files which are currently open, but not saved/closed before. Especially since they're in temp folders... And it's really hard to hide data in registry keys that are 0 bytes in length. Last but not least: a rootkit is bigger than 15kB over all. Any more questions?
	QUOTE Thanks

RookitRevealer findings.

Internet Services

Website Development

Tech Hardware

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search