Microsoft has discovered a new variant on a bootkit so malicious that Microsoft's recommended solution is to reinstall Windows from a recovery CD.
In a recent blog post on TechNet, Chun Feng, an engineer with the Microsoft Malware Protection Center, warned that users will have to roll back Windows via a recovery CD if they are infected with what it refers to as Popureb.E, which now inludes a driver component that triggers at boot time.
The malware is clever enough to identify the actual physical startup disk, and it infects an operation called DriverStartIO, according to the Microsoft blog post.
What it does there is even more ingenious. "If it finds the write operation is trying to overwrite the MBR [Master Boot Record] or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.
In other words, antivirus software that attempts to remove the virus be overwriting the MBR will be intercepted, and the write command replaced with a read command.
>>>Microsoft recommends that users try and fix the malware by using the System Recovery Console, and then using the "fixmbr" command<<<
Can someone explain to this noob (me) how the fixmbr command would NOT trigger the bootkit's intercept mechanism?
Edited by Union_Thug, 29 June 2011 - 01:01 PM.