Viruses that use Sony CDs continue to spread

The latest variant of the Ryknos Trojan has been released, which uses the rootkit on some CDs of Sony to hide on infected computers.

The most dangerous feature of the Ryknos.B Trojan is that it can hide very effectively on infected PCs. This is achieved primarily by hiding behind the rootkit program on some of Sony's CDs, so it can often remain invisible even to antivirus software. The best defense against your Trojans is prevention, because once it's on your PC, it's very difficult to write.

Ryknos.B opens a backdoor on infected computers, allowing attackers to access information and download and run files.

Other known names for Ryknos.B are Troj / Stinx-F [Sophos], BKDR_BREPLIBOT.D [Trend Micro], Breplibot.C [F-Secure].

When Ryknos.B starts, it performs the following actions:

1. Copy yourself to the Windows System directory as $ sys $ xp.exe.

2. Use the XCP software on the Sony CDs to hide any changes you make to the registration database.

3. Creates two mutexes to run only one instance at a time.

4. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentV ersion \ Run
HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVe rsion \ Run
adds to your key
“$sys$cmp” = “$sys$xp.exe”.

5. Sends a notification over TCP port 8080.

6. Add yourself to the list of trusted applications for Windows built-in firewall.

7. Opens a backdoor through IRC through which attackers can perform the following actions:
- collect system information of infected PCs
- download and execute files.