The software is hard to remove from a PC without causing damage and can be used to hide malicious code; antivirus vendors warned on Thursday afternoon the first malicious software to exploit it has been found.
The discovery of Sony's CD rootkit kicked off a furor, but the company has not said which CDs contain the DRM protection.
According to the EFF, the following CDs contain the DRM in question:
• Trey Anastasio, Shine (Columbia)
• Celine Dion, On ne Change Pas (Epic)
• Neil Diamond, 12 Songs (Columbia)
• Our Lady Peace, Healthy in Paranoid Times (Columbia)
• Chris Botti, To Love Again (Columbia)
• Van Zant, Get Right with the Man (Columbia)
• Switchfoot, Nothing is Sound (Columbia)
• The Coral, The Invisible Invasion (Columbia)
• Acceptance, Phantoms (Columbia)
• Susie Suh, Susie Suh (Epic)
• Amerie, Touch (Columbia)
• Life of Agony, Broken Valley (Epic)
• Horace Silver Quintet, Silver's Blue (Epic Legacy)
• Gerry Mulligan, Jeru (Columbia Legacy)
• Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
• The Bad Plus, Suspicious Activity (Columbia)
• The Dead 60s, The Dead 60s (Epic)
• Dion, The Essential Dion (Columbia Legacy)
• Natasha Bedingfield, Unwritten (Epic)
The EFF says it is likely that other CDs also contain the application, although Sony told ZDNet UK last week that discs containing this DRM software had not been distributed in the U.K.
The EFF took a dim view on Sony's actions. "Entertainment companies often complain that fans refuse to respect their intellectual property rights. Yet tools like this refuse to respect our own personal property rights," EFF staff attorney Jason Schultz said in a statement.
"Sony's tactics here are hypocritical, in addition to being a security threat," Schultz added.