We have quietly released a new definition set of CounterSpy that decloaks the Sony rootkit. This means that it gets rid of the driver (Aries.sys) that gives the Sony DRM functionalist its hidden rootkit capabilities.  This is the same thing that Windows Antispyware is doing. 

However, it does not remove the Sony DRM files themselves, as doing so can wreak by causing the CD drive to become inoperable (thanks Sony).   Note that the Sophos uninstaller also just does a decloacking.

Csariesremoval

I’m not aware of any utility that actually removes these DRM files (not just decloaking).  Microsoft has announced that their Malicious Software Removal tool will remove it, but I suspect it will also be just a decloaking.

Sony provides no way for their DRM files to be removed through Add/Remove programs.  Instead, one has to go to their website to do a full uninstall or go through a cumbersome manual uninstall.

CounterSpy 1.5/CounterSpy Enterprise 1.5: Definition 261

CounterSpy 1.0: Definition 256

Alex Eckelberry

11/30 UPDATE:  Kelly Mackin over at Computer Associates pinged me to let me know that PestPatrol removes the sony rootkit.

They remove:

  • The Rootkit itself (that’s the part that hides files)
  • The installer
  • The patch installer
  • The media player

So, as far as I know, they are the only ones that actually remove the rootkit completely.   All others (including the Sophos tool and our own CounterSpy) “decloak” it, meaning to expose it so it’s no longer acting as a rootkit.  

While I’m not supposed to be thrilled to promote a competitor, I have to give them grudging respect for this feat, no small technical challenge. 

Link here.

Alex Eckelberry