A new variant of the Trojan Popureb burrows deep enough into the Windows operating system that users are recommended to reinstall the OS in order to remove it.
A new rootkit targeting Windows systems currently making the
rounds can be removed only by fixing the master boot record, Microsoft
The "Popureb" Trojan corrupts the hard drive's
master boot record to such an extent that the only way to remove it is
to run Windows Recovery Console to rewrite the sectors to a clean state, Microsoft Malware Protection Center
engineer Chun Feng wrote in an advisory posted on the Threat
Research and Reponse
blog June 22.
The Trojan was updated recently with the driver component
that makes sure the malware can never be modified by an external process,
according to Feng. The component accesses the DriverStartIO routine in the
device driver to execute itself.
"The driver component
protects the data in an unusual way," wrote Feng.
Trojan:Win32/Popureb.E overwrites the first sector on the
hard drive so that it triggers at boot time. MBR is generally invisible to both
the operating system and security software. To ensure it can't easily be
removed, Popureb can intercept all commands to overwrite the MBR or any other
part of the hard drive where the malware is installed and replace those
commands with a read command. The operation appears to succeed and no errors
are thrown, but no new data is actually written to the disk. This means that if
a security software attempts to remove the malware, it fails automatically
because it can't overwrite the MBR or the infected sector.
Despite Microsoft's stance, Symantec researchers downplayed
the threat on its blog. "The Popureb family is nothing new and we have seen
variants of this family for months," a Symantec employee with the name
"kochc" wrote June 28 in a post titled "Win32/Popureb.E
Most members of this particular malware family are fake
antivirus software, but this variant "might be a little more severe,
Symantec said, but pointed out that this Trojan doesn't do anything that
"Trojan.Tidserv doesn't already do." The company has asked Microsoft
for the sample to analyze further, according to the statement.
Users should use the System Recovery Console to
run the fixmbr command to remove the malware, Feng said as he posted detailed instructions for fixing XP, Vista and Windows 7 after being infected
by Popureb online.
Rootkits are increasingly becoming common
because they are
often hard to detect
or remove because of the way they bury inside the
Organizations without a comprehensive backup strategy in
place will lose a lot of information if any of their systems get infected by
Popureb. Considering that a clean re-install is recommended, all documents and
data files need to be removed. Running a backup at this point and restoring
from it raises the possibility that the backup will be infected and will
re-infect the machine after restoring the files.
Even though it can't remove the Trojan, Microsoft claims its
security products can at least detect the latest variants as of June 21. Kaspersky Lab's rootkit cleaner can detect and remove this toolkit "without problem," a Kaspersky Lab researcher told eWEEK.
Updated 6/28/2011: This article was modified after Microsoft updated the blog post to reflect that a clean re-install of Windows was not necessary to remove this rootkit.