Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

RTKT_XCP.A

Download the latest scan engine

TypeHacking Tool

In the wild: No

Destructive: No

Language: English

Systems affected: Windows 98, ME, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Low

Reported detections:

Low

System  impact:

High

Information exposure:

Low
 

Description:

This hacking tool is a valid Digital Rights Management (DRM) software package developed by First 4 Internet Ltd. This software package is included as a copy protection mechanism for certain audio compact discs distributed by Sony BMG.

It works by applying a relatively new technology called rootkit technology. Rootkits are used to hide system information, such as running processes, files, or registry entries.

As a standalone application, it is non-malicious. However, certain malware applications use it to hide malicious files and autostart registry keys on the affected machine, thus making detection more difficult. As of this writing, the malware that utilize this tool are as follows:

The rootkit is installed in the $sys$filesystem subfolder in the Windows system folder using the file name ARIES.SYS. The said rootkit is then executed as a service by an installation package and is configured to execute at every system startup.

When active, it hides files, folders, and registry keys beginning with the string $sys$ in the Windows operating system. The mentioned routine prevents an affected user from viewing all files, folders, and registry keys that begin with the said string.

First 4 Internet Ltd has released a software update to remove this hacking tool. The update is available for download at http://updates.xcp-aurora.com/.

Description created:  Nov 17, 2005

Revision history: Nov 17, 2005 - Modified Virus Report
Nov 18, 2005 - Added Automatic Removal Instructions for Windows 2000, XP, and Server 2003 Nov 25, 2005 - Added fix tool



TECHNICAL DETAILS



Initial samples received on:  Nov 12, 2005

Installer name: XCP Content Management

Author/Publisher: First 4 Internet Ltd

File type: PE

Memory resident: Yes  

File size: 6,400 Bytes

Related toBKDR_BREPLIBOT.C , BKDR_BREPLIBOT.D

Payload 1Others

Payload Detail 1: Hides certain files, folders, and registry keys

Details:

This hacking tool is a valid Digital Rights Management (DRM) software package developed by First 4 Internet Ltd. This software package is included as a copy protection mechanism for certain audio compact discs distributed by Sony BMG.

This tool works by applying a relatively new technology called rootkit technology. Rootkits are used to hide system information, such as running processes, files, or registry entries.

As a standalone application, it is non-malicious. However, certain malware applications use it to hide malicious files and autostart registry keys on the affected machine, thus making detection more difficult. As of this writing, the malware that utilize this tool are as follows:

The rootkit is installed in the $sys$filesystem subfolder in the Windows system folder using the file name ARIES.SYS. The said rootkit is then executed as a service by an installation package and is configured to execute at every system startup. It does the said routine by creating the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\$sys$aries

When active, it hides files, folders, and registry keys that begin with the string $sys$ in the Windows operating system. The mentioned routine prevents an affected user from viewing any files, folders, and registry keys that begin with the said string.

First 4 Internet Ltd has released a software update to remove this hacking tool. The update is available for download at http://updates.xcp-aurora.com/.

This hacking tool runs on Windows 98, ME, 2000, XP, and Server 2003.


Analysis by:  Michael Stephen Tonido

Updated by: Zeus M. Laguerta



SOLUTION


Minimum scan engine version needed: 7.100

Download the latest scan engine

Virus pattern version needed : 8.335.00

Pattern release date:  Aug 5, 2011

DCE version needed: 3.9

      DCT version needed : 677.06

      Pattern release date:  Nov 18, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: To fully remove all associated malware, perform the clean solutions for the following:

The succeeding procedures only remove the component file aries.sys from the system. It does not remove the entire Digital Rights Management (DRM) software package.

AUTOMATIC REMOVAL INSTRUCTIONS

(Note: The DCT can only automatically remove this hacking tool on systems running on Windows 2000, XP, and Server 2003.)

To completely remove this hacking tool on Windows 98, download the special stand-alone fix tool. Refer to the README.TXT file included for further instructions.

IMPORTANT: After performing the automatic removal instructions, restart the system to fully delete any instance of this hacking tool.

MANUAL REMOVAL INSTRUCTIONS

Restarting in Safe Mode

• On Windows 98 and ME

  1. Restart your computer.
  2. Press the CTRL key until the startup menu appears.
  3. Choose the Safe Mode option then press Enter.

• On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

• On Windows Server 2003

  1. Restart your computer.
  2. When you are prompted to select the operating system to start, press F8.
  3. On the Windows Advanced Option menu, use the arrow keys to select Safe Mode, and then press Enter.

Editing the Registry

This hacking tool modifies the system's registry. Users affected by this hacking tool may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  3. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Key from the Registry

Removing an autostart key from the registry prevents the hacking tool from executing at startup.

If the registry key below is not found, the hacking tool may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
  3. Still in the left panel, locate and delete the subkey:
    $sys$aries
  4. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your system normally before performing the following solution.

Scan your system with Trend Micro antivirus and delete files detected as RTKT_XCP.A. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patches

This hacking tool exploits known vulnerabilities in Digital Rights Management (DRM) software package. Download and install the fix patch supplied by Sony BMG. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Featured Stories

Connect with us on