Systems that don't have the Sony rootkit installed have little to fear as their existing anti-virus software is likely to spot and smother the threat. Sony has shipped about 2 million audio CDs with the XCP technology. There is no data to determine how many of those have been used on Windows computers, but the limited number of shipped CDs caused McAfee to rate the trojan's threat level as "low".

The rootkit in theory should help the worm to dodge detection by the virus scanning software. But the worm's authors however have made several design errors that will prevent it from causing any real harm, said anti virus provider F-Secure.

"If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error," said F-Secure's Mika Pehkonen. 

Sony has always maintained that its DRM technology is harmless and despite widespread criticism from the security community claims that it doesn't have any security risks associated with it. Vnunet.com was unable to reach the firm. It's media relations depertment doesn't answer the phone and the number's voicemail box has been disabled.

This worm however proves the record label wrong. "This is a very good example of why software should not use rootkit hiding techniques," said Pehkonen.

Sophos has promised to issue a tool later today which will permanently disable the Sony copy protection software and allow antivirus engines to delete the malware.

Cluley stressed that Sophos will support the technology when Sony comes up with a copy protection system that does not leave such a "massive backdoor" on users' machines.

Other companies have also reacted against the Sony DRM software. Computer Associates has blacklisted the code, which it defines as a Trojan horse, and computer experts have also been highly critical of the software.

The DRM code was developed for Sony by UK firm First 4 Internet.

Silicon Valley Sleuth: Sony, yoo-hoo! Would a trojan qualify as a security threat?