Trojan requires infected Windows users do a System Restore

By on June 28, 2011, 12:00 PM

Microsoft has warned of a new malware threat affecting Windows users that can only be completely removed by restoring the system to a previous state or wiping it altogether. According to Redmond, the culprit is the latest variant of a Trojan known as "Popureb" (specifically, Trojan:Win32/Popureb.E), which stores part of its data in the hard drive’s master boot record (MBR) and introduces a driver component to prevent the malicious code from being changed.

"The driver component protects the data in an unusual way," wrote Chun Feng, an engineer with the Microsoft Malware Protection Centre, in an advisory last week. "The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk."

Not many details are available as to what symptoms infected machines are seeing, but its previous iteration, Trojan:Win32/Popureb.B, displays advertisements and modifies user's Internet Explorer start page.

Microsoft's antivirus engine will detect the threat. However, Feng says that those already infected will have to fix the MBR using the System Recovery Console and a command called "fixmbr", then proceed to use a recovery CD to restore the system to a pre-infected state. Recovery options for XP, Vista and Windows 7 users are detailed here:

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.