Trojan requires infected Windows users do a System Restore

[Jos]

Microsoft has warned of a new malware threat affecting Windows users that can only be completely removed by restoring the system to a previous state or wiping it altogether. According to Redmond, the culprit is the latest variant of a Trojan known as "Popureb" (specifically, Trojan:Win32/Popureb.E), which stores part of its data in the hard drive’s master boot record (MBR) and introduces a driver component to prevent the malicious code from being changed.

"The driver component protects the data in an unusual way," wrote Chun Feng, an engineer with the Microsoft Malware Protection Centre, in an advisory last week. "The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk."

Not many details are available as to what symptoms infected machines are seeing, but its previous iteration, Trojan:Win32/Popureb.B, displays advertisements and modifies user's Internet Explorer start page.

Microsoft's antivirus engine will detect the threat. However, Feng says that those already infected will have to fix the MBR using the System Recovery Console and a command called "fixmbr", then proceed to use a recovery CD to restore the system to a pre-infected state. Recovery options for XP, Vista and Windows 7 users are detailed here:

• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

Permalink to story.

https://www.techspot.com/news/44446-trojan-requires-infected-windows-users-do-a-system-restore.html

 

[wcbert]

"If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk."

Very clever and that why you have to never let you guard down.

 

[freedomthinker]

Meh . Just turn off the net . Problem solved !

 

[DelJo63]

insufficient - - it can ride a USB thumbdrive and infect you there
OR
infect you via a fileshare you access on your LAN

What you click matters

 

[Rick]

Since this 'hook' is only active in an infected Windows install, changing your MBR outside of Windows ought to do the trick. ie. Boot to a Windows XP install disc and "fixmbr" or "bootrec /fixmbr" for Vista/7.

Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess.

 

[Guest]

Hahaha Rick, you're funny!

 

[Guest]

Additional protection to Antivirus Real Time Guard and an Antimalware Scanner can be got with a ProActive Protection Software (for unknown virus and if your antivirus doesn't have this)

some free programs like these:
- Outpost Firewall Free 6.51 (you can download it from FileHippo).
- Comodo Firewall (or Internert Security)
- PcTools ThreatFire

- too, you can protect files and folders with "System Protect" and use a Pasive Protection for IE with "SpwareBlaster".

- Finally, "WinPatrol" will alert you of changes to your system.

 

[Guest]

Could you not use AVG's Rescue CD as your not scanning through Windows,or take the Hard drive out and Scan on another computer? as the driver wont be actively working,or am I missing something here?

 

[PanicX]

Rick said:
Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess.

I would expect using a BartPE or LiveCD and then virus scanning the inactive hard drive would point out the infected driver and result in a clean system. Unless there's more to the infection than the article describes.

 

[Tanstar]

Guest said:
Additional protection to Antivirus Real Time Guard and an Antimalware Scanner can be got with a ProActive Protection Software (for unknown virus and if your antivirus doesn't have this)

some free programs like these:
- Outpost Firewall Free 6.51 (you can download it from FileHippo).
- Comodo Firewall (or Internert Security)
- PcTools ThreatFire

- too, you can protect files and folders with "System Protect" and use a Pasive Protection for IE with "SpwareBlaster".

- Finally, "WinPatrol" will alert you of changes to your system.

I've been using ZoneAlarm for years, has it fallen behind?

 

[Guest]

I have been using NOD 32 for 5 years now............USE IT.

 

[example1013]

Rick said:
Since this 'hook' is only active in an infected Windows install, changing your MBR outside of Windows ought to do the trick. ie. Boot to a Windows XP install disc and "fixmbr" or "bootrec /fixmbr" for Vista/7.

Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess.

I'd figured there would have to be a way to fix the MBR from outside of windows. There's no way your computer could completely lock you out. I guess if your last clean system restore point would net you loss of a lot of info, a method like this would be more convenient.

 

[Guest]

Alternatively can't you just boot up mini xp or something and "rescue" important data then format or whatever? Seems like a much easier fix imo.