[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dmca-discuss
Subject:    [DMCA_Discuss] Beastie Boys CD installs virus
From:       Jei <jei () cc ! hut ! fi>
Date:       2004-06-25 15:27:54
Message-ID: Pine.LNX.4.58.0406251827280.3591 () random ! hut ! fi
[Download RAW message or body]

http://www.theregister.co.uk/2004/06/23/beastie_boy_cd_virus/

Beastie Boys CD installs virus
By Thomas C Greene
Published Wednesday 23rd June 2004 11:18 GMT

A new Beastie Boys' CD called "To the Five Boroughs" (Capitol Records), is
raising hackles around the Web for reputedly infecting computers with a
virus.

According to a recent thread at BugTraq, an executable file is
automatically and silently installed on the user's machine when the CD is
loaded. The file is said to be a driver that prevents users from ripping
the CD (and perhaps others), and attacks both Windows boxen and Macs.

The infected CD is being distributed worldwide except in the USA and UK,
which prevents us from giving a firsthand report. However, according to
hearsay, we gather that the Windows version exploits the 'autorun' option,
and that the Mac version affects the auto play option.

On Windows, when a CD is loaded, a text file called autorun.inf is read,
and any instructions within it are executed. In this case, the machine is
instructed to install some manner of DRM driver that prevents copying. We
haven't seen either the .inf file or any of the executables, so we can't
say how or at what level it accomplishes this - or if indeed it actually
does accomplish this.

But assuming that the unconfirmed reports are accurate, we have here a
media company infecting users' machines silently with a file that affects
a computer's functionality, without first obtaining informed consent: a
likely violation of pretty much every jurisdiction's anti-hacking laws.
It's possible to foresee criminal charges being brought at some point:
after all, having a good reason for spreading malware has never been much
of a defence in court. And a file that alters a computer's functioning
without the owner's informed consent is the very definition of malware.
Because this malware can be transferred from machine to machine on a
removable disk, and requires user interaction to spread, it is, quite
simply, a computer virus. (A worm, on the other hand, is distinguished by
its ability to spread without user interaction.)
CD virus protection

Let's look at the ways this autorun business can be defeated. It's quite
easy to disable autorun in Windows by holding down the Shift key when
loading a CD. Unfortunately, this has to be done each time the CD is
played. However, it's easy to insert the CD once with the Shift key
depressed, and then simply rip the tracks to the hard disk. You can then
use the CD in other devices, and listen to your corresponding MP3s or
whatever on your computer.

You can also disable the autorun "feature" on your Windows machine
permanently so that this and other CDs infected with viruses won't affect
you in the future.

To do this, go to the Start menu ==> Run, and type in the command regedit.
Your registry editor will launch. Navigate to the following key, and edit
as shown:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDRom and set Autorun
DWORD=0

It might be necessary to create the value, thus: Data Type: DWORD Value
Name: Autorun Value: 0

As usual, you must reboot your Windows box for the changes to take effect.
Disinfection

The above procedure assumes that you haven't previously installed the
suspected Capitol Records virus, or a similar one from another fine
entertainment conglomerate. But if you have, you will need to find and
uninstall the malware first. The autorun.inf file on the CD will likely
indicate the name of the relevant file(s), the locations where they're
installed, and any registry changes made.

Armed with that information, go to the Windows 'uninstall' utility:

Start menu ==> Settings ==> Control Panel ==> Add or Remove Programs ==>
Change/Remove.

Look for any program files referenced in the autorun.inf file and
uninstall them. If no related programs are listed, you will need to launch
the Windows Search Companion and search for any files named in the
autorun.inf file and delete them manually. Be sure to activate the options
in the "more advanced features" dialog allowing you to search the entire
disk (search system folders, search hidden folders, and search
subfolders).

Now, a word of caution: if the Capitol Records virus has updated a library
file or driver, deleting it might affect your system's functioning, and
you might need to re-install Windows to put things right again. (Carefully
log the time needed to do this and include it in your criminal complaint.)
However, deleting a foreign executable file is safe, so long as it's not
one you actually need. So be careful about file name spellings so that you
don't accidentally delete an important file that's spelt similar to the
one you wish to be rid of. ®

Thomas C Greene is the author of Computer Security for the Home and Small
Office, a comprehensive guide to system hardening, malware protection,
online anonymity, encryption, and data hygiene for Windows and Linux.

_______________________________________________

USC Title 17 Sec. 107. - Limitations on exclusive rights: Fair use 

This material is distributed to those who have expressed a prior interest in \
receiving the included information for research and educational purposes.

------------------------
http://www.anti-dmca.org
------------------------

DMCA_Discuss mailing list
DMCA_Discuss@lists.microshaft.org
http://lists.microshaft.org/mailman/listinfo/dmca_discuss


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic