Trojan requires infected Windows users do a System Restore

By on June 28, 2011, 12:00 PM

Microsoft has warned of a new malware threat affecting Windows users that can only be completely removed by restoring the system to a previous state or wiping it altogether. According to Redmond, the culprit is the latest variant of a Trojan known as "Popureb" (specifically, Trojan:Win32/Popureb.E), which stores part of its data in the hard drive’s master boot record (MBR) and introduces a driver component to prevent the malicious code from being changed.

"The driver component protects the data in an unusual way," wrote Chun Feng, an engineer with the Microsoft Malware Protection Centre, in an advisory last week. "The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk."

Not many details are available as to what symptoms infected machines are seeing, but its previous iteration, Trojan:Win32/Popureb.B, displays advertisements and modifies user's Internet Explorer start page.

Microsoft's antivirus engine will detect the threat. However, Feng says that those already infected will have to fix the MBR using the System Recovery Console and a command called "fixmbr", then proceed to use a recovery CD to restore the system to a pre-infected state. Recovery options for XP, Vista and Windows 7 users are detailed here:




User Comments: 12

Got something to say? Post a comment
wcbert said:

"If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk."

Very clever and that why you have to never let you guard down.

freedomthinker said:

Meh . Just turn off the net . Problem solved !

jobeard jobeard, TS Ambassador, said:

insufficient - - it can ride a USB thumbdrive and infect you there

OR

infect you via a fileshare you access on your LAN

What you click matters

Staff
Rick Rick, TechSpot Staff, said:

Since this 'hook' is only active in an infected Windows install, changing your MBR outside of Windows ought to do the trick. ie. Boot to a Windows XP install disc and "fixmbr" or "bootrec /fixmbr" for Vista/7.

Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess. :-)

Guest said:

Hahaha Rick, you're funny!

Guest said:

Additional protection to Antivirus Real Time Guard and an Antimalware Scanner can be got with a ProActive Protection Software (for unknown virus and if your antivirus doesn't have this)

some free programs like these:

- Outpost Firewall Free 6.51 (you can download it from FileHippo).

- Comodo Firewall (or Internert Security)

- PcTools ThreatFire

- too, you can protect files and folders with "System Protect" and use a Pasive Protection for IE with "SpwareBlaster".

- Finally, "WinPatrol" will alert you of changes to your system.

Guest said:

Could you not use AVG's Rescue CD as your not scanning through Windows,or take the Hard drive out and Scan on another computer? as the driver wont be actively working,or am I missing something here?

PanicX PanicX, TechSpot Ambassador, said:

Rick said:

Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess. :-)

I would expect using a BartPE or LiveCD and then virus scanning the inactive hard drive would point out the infected driver and result in a clean system. Unless there's more to the infection than the article describes.

Tanstar said:

Guest said:

Additional protection to Antivirus Real Time Guard and an Antimalware Scanner can be got with a ProActive Protection Software (for unknown virus and if your antivirus doesn't have this)

some free programs like these:

- Outpost Firewall Free 6.51 (you can download it from FileHippo).

- Comodo Firewall (or Internert Security)

- PcTools ThreatFire

- too, you can protect files and folders with "System Protect" and use a Pasive Protection for IE with "SpwareBlaster".

- Finally, "WinPatrol" will alert you of changes to your system.

I've been using ZoneAlarm for years, has it fallen behind?

Guest said:

I have been using NOD 32 for 5 years now............USE IT. ;)

example1013 said:

Rick said:

Since this 'hook' is only active in an infected Windows install, changing your MBR outside of Windows ought to do the trick. ie. Boot to a Windows XP install disc and "fixmbr" or "bootrec /fixmbr" for Vista/7.

Leave that disc in and boot up back into your current installation of Windows... Then Start > Run > sfc /scannow and you should be OK? You could use System Restore too, I suppose, but when you're a hammer every problem looks like I nail I guess. :-)

I'd figured there would have to be a way to fix the MBR from outside of windows. There's no way your computer could completely lock you out. I guess if your last clean system restore point would net you loss of a lot of info, a method like this would be more convenient.

Guest said:

Alternatively can't you just boot up mini xp or something and "rescue" important data then format or whatever? Seems like a much easier fix imo.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.