ID: IRCNE2011061159
Date: 2011-06-28
Computerworld - Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.
A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's Blog.
"If your system does get infected with Trojan: Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.
According to Feng, Popureb detects write operations aimed at the MBR -- operations designed to scrub the MBR or other disk sectors containing attack code -- and then swaps out the write operation with a read operation.
Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed.
Feng provided links to MBR-fixing instructions for XP, Vista and Windows 7
Rootkits are often planted by attackers to hide follow-on malware, such as banking password-stealing Trojans. They're not a new phenomenon on Windows. In early 2010, for example, Microsoft contended with a rootkit dubbed "Alureon" that infected Windows XP systems. At the time, Microsoft's advice was similar to what Feng is now offering for Popureb.
- 2