[lotuseclat79]

How to use SpywareBlaster Tools Custom Blocking button to install protection against Sony's rootkit:

Launch SpywareBlaster v 3.4 (install new release if necessary from:
http://www.javacoolsoftware.com/spywareblaster.html)

Click on Tools in left-hand panel
Click on Custom Blocking button
Click on Add item
Name the new item: SONY
Click Ok
Use copy/paste to Insert CLSID: {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}
Check the SONY Item box
Click Protect Against Checked Items button
Exit SpywareBlaster (its protection is passive)

Reference: StevieO post #4 in Thread Re: Sony Rootkit and blocking F-4I's ActiveX control CodeSupport CLSID at: http://www.wilderssecurity.com/showt...591#post608591

-- Tom

[Stoner]

Good tip

Thanks

[Digidave]

Very nice!! Thanx!!

[Cheeseball81]

Nice tip

[jiml8]

Good tip.

[CarlssonMB]

Nice

I think Microsoft Anti Spyware users are getting that protection in a new update

[hewee]

Thanks I just added that to my list.

[JohnWill]

I do love it when monumentally stupid corporations get hammered with something like this.

[hewee]

Like to see a big class action where we win big bucks.

Make sony and others think twice next time they want to do anything like this to are PC's.

[lotuseclat79]

All,

I just ran across the Microsoft Security Response Center Blog which contains an important addition to my first post in this thread - an additional CLSID entry to make like the previous one:

Add: {80E8743E-8AC5-46F1-96A0-59FA30740C51}

to the previous entry. You can probably name it something like SONY1.

-- Tom


Reference: http://blogs.technet.com/msrc/

Hello readers, Mike Reavey here.

There has been a fair amount of attention around the ”Sony XCP software” over the last many days. As you may know from the anti-malware blog, Windows Defender and Windows AntiSpyware Beta have included detection and removal for the rootkit component of this software. However, there are also some questions regarding the Disabling ActiveXActiveX control that was released by Sony to allow the removal of the rootkit. It's been reported that this ActiveX control contains vulnerabilities. We wanted to remind customers that they can block any specific ActiveX control from running in Internet Explorer themselves. To do this, all that’s needed is setting a registry key
entry called a “kill-bit.” Information on how to do this is in the following KB: http://support.microsoft.com/kb/240797. Our investigation shows that this ActiveX control uses the CLSIDs of {80E8743E-8AC5-46F1-96A0-59FA30740C51} and
{4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}. We'd like to remind customers that while they need to be careful when editing the registry, the kill-bit mechanism can help protect them from any risks associated with this ActiveX control. We’ll continue to monitor this issue and provide recommendations as they become available.
-Mike

*This posting is provided "AS IS" with no warranties, and confers no rights.*
posted Thursday, November 17, 2005 9:09 PM by stepto (Comments Off)