A new rootkit targeting Windows systems currently making the rounds can be removed only by fixing the master boot record, Microsoft said.
The “Popureb” Trojan corrupts the hard drive’s master boot record to such an extent that the only way to remove it is to run Windows Recovery Console to rewrite the sectors to a clean state, Microsoft Malware Protection Center engineer Chun Feng wrote in an advisory posted on the Threat Research and Reponse blog June 22.
The Trojan was updated recently with the driver component that makes sure the malware can never be modified by an external process, according to Feng. The component accesses the DriverStartIO routine in the device driver to execute itself.
“The driver component protects the data in an unusual way,” wrote Feng.
Trojan:Win32/Popureb.E overwrites the first sector on the hard drive so that it triggers at boot time. MBR is generally invisible to both the operating system and security software. To ensure it can’t easily be removed, Popureb can intercept all commands to overwrite the MBR or any other part of the hard drive where the malware is installed and replace those commands with a read command. The operation appears to succeed and no errors are thrown, but no new data is actually written to the disk. This means that if a security software attempts to remove the malware, it fails automatically because it can’t overwrite the MBR or the infected sector.
Despite Microsoft’s stance, Symantec researchers downplayed the threat on its blog. “The Popureb family is nothing new and we have seen variants of this family for months,” a Symantec employee with the name “kochc” wrote June 28 in a post titled “Win32/Popureb.E Symantec Response.”
Most members of this particular malware family are fake antivirus software, but this variant “might be a little more severe, Symantec said, but pointed out that this Trojan doesn’t do anything that “Trojan.Tidserv doesn’t already do.” The company has asked Microsoft for the sample to analyze further, according to the statement.
Users should use the System Recovery Console to run the fixmbr command to remove the malware, Feng said as he posted detailed instructions for fixing XP, Vista and Windows 7 after being infected by Popureb online.
Organizations without a comprehensive backup strategy in place will lose a lot of information if any of their systems get infected by Popureb. Considering that a clean re-install is recommended, all documents and data files need to be removed. Running a backup at this point and restoring from it raises the possibility that the backup will be infected and will re-infect the machine after restoring the files.
Even though it can’t remove the Trojan, Microsoft claims its security products can at least detect the latest variants as of June 21. Kaspersky Lab’s rootkit cleaner can detect and remove this toolkit “without problem,” a Kaspersky Lab researcher told eWEEK.
Updated 6/28/2011: This article was modified after Microsoft updated the blog post to reflect that a clean re-install of Windows was not necessary to remove this rootkit.