Sony BMG has settled two more lawsuits over CDs sold by the company that included a hidden copy-protection program that opened their computers to hackers and viruses. The company announced on Tuesday it will pay $1.5 million US and pay thousands more in customer refunds after settling lawsuits in California and Texas. The settlements come months after Sony settled with Canadian consumers over the CDs containing one of two types of copyright protection software — MediaMax or XCP.

The copy protection software, called Extended Copy Protection or XCP, is installed when the CD is put into a computer. The program uses a technique called a rootkit to hide the fact that it is running, making it more difficult to disable.

Security experts say the Sony program wasn't itself harmful. However, the program remains active on the computer even when the CD isn't being played and at least one computer virus has been written to hide behind the same cloak.

The technology was also able to read and transmit IP addresses, thereby identifying the user and sending personal information back to Sony BMG.

Philippa Lawson, executive director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC), said in September the music company could then use that information to go after illegal file-sharers in Canada.

Three separate suits were filed in Canada. The first lawsuit, affecting customers in every province except British Columbia and Quebec, was settled in September. The other two provinces reached settlements later in the year.

Under terms of the separate U.S. settlements, Sony will pay $750,000 to each of the states in civil penalties and costs and reimburse customers whose computers were damaged during attempts to uninstall the software.

"Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it doesn't inflict security vulnerabilities on computers," California Attorney General Bill Lockyer said in a statement.

Internet security company Websense Inc. on Tuesday said it had found a password-stealing computer virus that spreads through the popular Skype voice-over-internet protocol (VoIP) communications software. The Trojan horse sends a message through the Skype Chat text-based instant messaging tool and asks the recipient to download a file named sp.exe. If a user complies, the virus downloads Skype programming code and new versions of itself from the internet and tries to steal passwords, Websense's security alert said.

A Trojan horse is a program that appears to perform one function in order to hide a malicious one. Like the mythological Trojan horse such programs are named after, the deception tricks people into granting them access. But the risk posed by the Trojan does not stem from any security flaw in Skype, Websense said, noting that the VoIP program properly forces any attempts to gain access to it to be authorized by the user.

"There is no vulnerability in Skype at this time that has been uncovered," Websense's security alert said.

Websense said the sites that the Trojan uses to download the Skype code and new versions of itself were offline on Tuesday.

The security firm first reported the threat on its security blog on Monday but mistook the Trojan for a worm. A worm is a type of virus that copies and spreads itself.

The initial infections appeared to be in the Asia-Pacific region, particularly in South Korea, Websense said.