Rootkit Infection Requires Windows Reinstall, Says Microsoft

Page 1 of 3 123 LastLast

    Rootkit Infection Requires Windows Reinstall, Says Microsoft


    Last Updated: 24 Jul 2013 at 10:51
    Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.

    A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog .

    "If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.

    A recovery disc returns Windows to its factory settings.

    Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

    According to Feng, Popureb detects write operations aimed at the MBR -- operations designed to scrub the MBR or other disk sectors containing attack code -- and then swaps out the write operation with a read operation.

    Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed.
    The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

    It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.

    Then it hooks the DriverStartIo routine in the found device’s DRIVER_OBJECT structure

    The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.
    Read More:

    Rootkit Infection Requires Windows Reinstall, Says Microsoft | PCWorld
    Borg 386's Avatar Posted By: Borg 386
    28 Jun 2011



  2. marsmimar
    Posts : 10,994
    Win 7 Pro 64-bit
       New #1

    Good info, Borg. Thanks. But my one remaining brain cell has a question. According to the article, "If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state." Additional info is in the Microsoft blog. But when you go to the link System Recovery Options in Windows 7 it merely refers you to this article:

    What are the system recovery options in Windows 7?

    What is the proper way to fix the MBR prior to using a recovery CD or a recovery partition?
      My Computer
    Quote Quote

  4. Borg 386
    Posts : 7,781
    Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10
    Thread Starter
       New #2

    Yeah, I noticed that too marsmimar, in that it refers to the article, and that's it.

    I added a snippit of the code above.
      My Computer
    Quote Quote

  5. kado897
    Posts : 10,455
    Microsoft Windows 7 Home Premium 64-bit Service Pack 1
       New #3

    If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
    From the same article.

    http://support.microsoft.com/kb/927392
    Last edited by kado897; 28 Jun 2011 at 08:40. Reason: Microsoft Bootrec.exe
      My Computer
    Quote Quote

  7. marsmimar
    Posts : 10,994
    Win 7 Pro 64-bit
       New #4

    kado897 said:
    If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
    From the same article.

    How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows
    I saw that reference (to use fixmbr) and even went to the KB927392 article. But my one remaining brain cell became a bit confused when I read:

    To run the Bootrec.exe tool ... 1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.

    I don't have an installation disc. I have a recovery partition, recovery discs made after I brought my computer home, and a system repair disc that was created when I did my first system image. The system repair disc does have a Command Prompt option but if you need an installation disc to extract a clean MBR ....

    Hence, my confusion.
      My Computer
    Quote Quote

  8. kado897
    Posts : 10,455
    Microsoft Windows 7 Home Premium 64-bit Service Pack 1
       New #5

    Mmm yes. I see.
      My Computer
    Quote Quote

  9. SIW2
    Posts : 16,160
    7 X64
       New #6

    You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.
      My Computers
    Quote Quote

  11. kado897
    Posts : 10,455
    Microsoft Windows 7 Home Premium 64-bit Service Pack 1
       New #7

    Thanks SIW2.
      My Computer
    Quote Quote

  12. marsmimar
    Posts : 10,994
    Win 7 Pro 64-bit
       New #8

    SIW2 said:
    You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.
    Sorry for being so dense but ...

    I have 4 recovery discs for my Sony VAIO. As soon as I start disc #1 I get a Sony dialog box that says something like the hard drive is going to be erased, backup all important data, when prompted insert disc #2, etc. As soon as I click OK the recovery process begins. No options that I can see to enter any command prompts or access any other repair options.

    Under these circumstances would you suggest I buy an OEM install disc just to have on hand in case of emergencies? If yes, would it make any difference if it does or does not have SP1? Again, my apologies.
      My Computer
    Quote Quote

  13. kado897
    Posts : 10,455
    Microsoft Windows 7 Home Premium 64-bit Service Pack 1
       New #9

    No need. Just create a repair disk.
    System Repair Disc - Create
      My Computer
    Quote Quote

 
Page 1 of 3 123 LastLast

  Related Discussions
Possible rootkit infection?
in System Security

Hi My system was detecting some strange virus etc yesterday for a brief period of time ... but fortunately avast free version(latest update) .. detected and quarintined all of them. Most their paths were like: C:\user\public\documents\DELL.exe C:\user\public\documents\documents.exe...
I originally had a thread in BSOD but was told to come here now after getting rid of BSOD's (https://www.sevenforums.com/bsod-help-support/286676-blue-screens-pop-ups-galore-ntoskrnl-exe.html#post2367597) Here are rouge killer and TDSS Logs RogueKiller V8.5.4 by Tigzy mail :...
Hi there I've been experiencing some weird problems where a 'System64' folder has been created in my Windows folder, when I am running Windows 7 64-Bit, I am led to believe that there should be no folder called 'System64' - instead there's just system32 & SysWOW64 (am I correct in that?) ...
If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it? But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and...
I cannot open Firewall, Defender or any security functions within windows without this error message popping up. However, I have run Anti-rootkit utility TDSSKiller as well as Sophos anti-rootkit, but they both say that my machine is clean. I am running Win 7 64 bit. I read this in another...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 19:04.
Find Us