[zeugma]

I don't know that there is a way to tell without some serious digging. The article was written by a fellow who knows more about windows than just about anyone on the planet, and he had do do some serious digging to find it.

Of course, now that he has told us what to look for, it makes things a lot easier for us. I'd strongly recommend getting a knoppix boot disk and use that to look for directories or files that start with “$sys$”. That's the easiest thing you can do IMO, though I can't really call myself any kind of windows guru anymore because I avoid it like the plague.

Automated tools to find this particular corporate back door are going to be moderately problematic, as the rootkit hides itself by modifying windows APIs. You have to be able to boot from a known good kernel to check things out. Virus scanners aren't going to be able to do this unless they load before the targeted APIs.

Simple solution: dump windows. Unfortunately, that's the only way to be reasonably safe from this stuff.

[supercat]

Automated tools to find this particular corporate back door are going to be moderately problematic, as the rootkit hides itself by modifying windows APIs.

Wouldn't it actually be very easy to test for? Something like:

@echo off
echo Hey >c:\$sys$zzz.txt
if not exist (c:\$sys$zzz.*) echo Uh oh...
del c:\$sys$zzz.txt

I haven't used any Sony CD's, so I can't test the above, but based on the descriptions it would seem like it should work.