Controversial copy-protection software used by music publisher Sony BMG on music CDs appears to have tapped an open-source project, raising questions about copyrights, software experts said on Friday.

The XCP program, developed by British software firm First4Internet and used by Sony BMG to restrict copying and sharing of music CDs, is already highly controversial because it acts like virus software and hides deep inside a computer where it leaves the backdoor open for malicious hackers.

Sony BMG earlier this week said it would recall some 4.7 million CDs with the software, after the discovery of the first computer viruses last week that took advantage of the weakness.

The XCP program installs itself on Windows-based personal computers when consumers play one of 49 different titles from Sony BMG on their PCs.

The program also forces consumers to use a specific music player that comes with the program.

That music player contains components from an open-source project, an MP3 player called LAME, it emerged.

"Multiple software components on the CD have references to the LAME open source MP3 code," Finnish software developer Matti Nikki said in an e-mail.

After unraveling the code, others found similar evidence.

"We can confirm that at least 5 functions in the XCP software are identical to functions in LAME," said Thomas Dullien at security software firm Sabre Security in Bochum, Germany, which specializes in the analysis of complex software.

Open-source software, if used, needs to be identified as such, so that it can be freely shared with others. Developers on Slashdot.org and other Internet bulletin boards could not find an open-source reference in the copy-protection software.

[Slashdot did post an article, however, arguing that software written by 'DVD Jon' Lech Johansen, the Norwegian teenager famous for cracking DVD copy protections, had made its way without permission into the XCP code.]

If open-source software is tightly integrated into a single executable program, the whole application has to become open-source software, even open-source software such as LAME whose MP3 encoder is licensed under the more relaxed Lesser General Public License (LGPL), a lawyer said.

"That's the flipside of open source: If you don't respect the open-source rules, the old regime of copy protection comes back in full force," said attorney and Internet specialist Christiaan Alberdingk Thijm at law firm SOLV in the Netherlands.

There was LAME and other LGPL code in the program, and significant amounts were tightly integrated into the executable program, Saber Security said.

"We can confirm the existence of significant amounts of code from FAAC (which is LGPL) in the executable ... These functions are part of ECDPlayerControl.ocx, thus directly integrated into the executable," Dullien said in an e-mail.

First4Internet, which sold the XCP software program used by Sony BMG on its CDs, declined to comment after repeated requests since Monday.

Sony BMG, which also declined to comment, has positioned itself as a defender of artists' rights.

It re-emphasized last week that copy-protection software is "an important tool to protect our intellectual property rights and those of our artists."

Responding to public outcry over the unsecure software, the record company, a joint venture by Japanese electronics conglomerate Sony Corp. (SNE) and Germany's Bertelsmann AG said last week it would temporarily suspend the manufacture of music CDs containing XCP technology.

Microsoft's anti-virus team said earlier on Tuesday it would add a detection and removal mechanism to rid a PC of the Sony DRM copy-protection software because it jeopardized the security of Windows computers.

Sony BMG last week was targeted in a class-action lawsuit complaining it had not disclosed the true nature of its copy-protection software.