Virus writers have already started to exploit Sony's controversial digital rights management software, which uses a rootkit to hide the code and ensure that the CDs are not copied.
A new Trojan, Troj/Stinx-E, has been mass-mailed to UK email addresses. The worm is a variant of what McAfee referred to as the Brepibot virus that was first discovered on April this year. BitDefender calls the new worm Backdoor IRC Snyd A and F-Secure Breplibot.B.
The new version has been altered to exploit a feature in the XCP digital rights management technology for Windows systems that comes bundled with several audio CDs from the Sony BMG record label. The software will automatically install the first time a user tries to play an infected audio CD on his computer's CD Rom drive.
In addition to digital rights manament technology, CD also installs a so-called root kit that hides files from the user and the system, including anti-virus software. Security experts have argued that it is extremely poorly engineered and that worm authors can exploit it by simply placing the characters "$sys$" in front of a file name.
The new variant of the Stinx trojan tries to do exactly that.
"Sony started off with the right intentions but did not recognise the implications of what it was doing," said Graham Cluley, senior technology consultant at Sophos.
"We've had companies calling up all day asking what to do with this. We feel sorry for the musicians; if you look on Amazon right now reviewers are telling people not to buy the album, not because of the music but because of the copy protection.