Rootkit Infection Requires Windows Reinstall, Says Microsoft

[Borg 386]

Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.

A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog .

"If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.

A recovery disc returns Windows to its factory settings.

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

According to Feng, Popureb detects write operations aimed at the MBR -- operations designed to scrub the MBR or other disk sectors containing attack code -- and then swaps out the write operation with a read operation.

Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed.

The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.

Then it hooks the DriverStartIo routine in the found device’s DRIVER_OBJECT structure

The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

Read More:

Rootkit Infection Requires Windows Reinstall, Says Microsoft | PCWorld

 

[marsmimar]

Good info, Borg. Thanks. But my one remaining brain cell has a question. According to the article, "If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state." Additional info is in the Microsoft blog. But when you go to the link System Recovery Options in Windows 7 it merely refers you to this article:

What are the system recovery options in Windows 7?

What is the proper way to fix the MBR prior to using a recovery CD or a recovery partition?

 

[Borg 386]

Yeah, I noticed that too marsmimar, in that it refers to the article, and that's it.

I added a snippit of the code above.

 

[kado897]

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

From the same article.

http://support.microsoft.com/kb/927392

 

[marsmimar]

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

From the same article.

How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows

I saw that reference (to use fixmbr) and even went to the KB927392 article. But my one remaining brain cell became a bit confused when I read:

To run the Bootrec.exe tool ... 1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.

I don't have an installation disc. I have a recovery partition, recovery discs made after I brought my computer home, and a system repair disc that was created when I did my first system image. The system repair disc does have a Command Prompt option but if you need an installation disc to extract a clean MBR ....

Hence, my confusion.

 

[kado897]

Mmm yes. I see.

 

[SIW2]

You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.

 

[kado897]

Thanks SIW2.

 

[marsmimar]

You can do it from winre - that is on the 7 recovery disc - all oem recovery discs ( tho some do not have acces to cmd prompt ), and on the 7 install dvd.

Sorry for being so dense but ...

I have 4 recovery discs for my Sony VAIO. As soon as I start disc #1 I get a Sony dialog box that says something like the hard drive is going to be erased, backup all important data, when prompted insert disc #2, etc. As soon as I click OK the recovery process begins. No options that I can see to enter any command prompts or access any other repair options.

Under these circumstances would you suggest I buy an OEM install disc just to have on hand in case of emergencies? If yes, would it make any difference if it does or does not have SP1? Again, my apologies.

 

[kado897]

No need. Just create a repair disk.
http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html

 

[DBone]

This is why I do routine system images. If the worst happens I'll only be out a couple of weeks worth of work........... Be prepared!

 

[kado897]

Yes. An image restore can also replace the mbr.

 

[Hopalong X]

This is why I do routine system images. If the worst happens I'll only be out a couple of weeks worth of work........... Be prepared!

Couple of weeks?

Weekly or after a major update make a new image.

Windows Backup and Macrium!

 

[kado897]

 

[pparks1]

I usually image about once per month. My actual data is on my server at home, nothing terribly important on my desktop itself. I don't need to image more frequently then this as not much changes on my machine in 2-4 weeks time.

 

[marsmimar]

Thanks everyone for the information. Very much appreciated.

 

[kado897]

You are welcome marsimar.

 

[DBone]

I don't need to image more frequently then this as not much changes on my machine in 2-4 weeks time.

Same here

 

[G1LLY]

Thanks for posting this, very useful info but I hope I never run into it.

 

[malexous]

Hitman Pro removes Popureb.E «

The latest release of Hitman Pro 3.5.9 – build 126 – will remove the infamous Trojan “Popureb” without the need to reinstall the operating system as previously advised by Microsoft.
...

YouTube - ‪Hitman Pro removes Popureb.E‬‏