Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

M$'s Answer to Popureb.E Malware? Reinstall Windows


  • Please log in to reply
10 replies to this topic

#1 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:04:46 AM

Posted 28 June 2011 - 03:52 PM

http://old.news.yahoo.com/s/zd/20110628/tc_zd/266261

Microsoft has discovered a new variant on a bootkit so malicious that Microsoft's recommended solution is to reinstall Windows from a recovery CD.

In a recent blog post on TechNet, Chun Feng, an engineer with the Microsoft Malware Protection Center, warned that users will have to roll back Windows via a recovery CD if they are infected with what it refers to as Popureb.E, which now inludes a driver component that triggers at boot time.

The malware is clever enough to identify the actual physical startup disk, and it infects an operation called DriverStartIO, according to the Microsoft blog post.

What it does there is even more ingenious. "If it finds the write operation is trying to overwrite the MBR [Master Boot Record] or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

In other words, antivirus software that attempts to remove the virus be overwriting the MBR will be intercepted, and the write command replaced with a read command.


>>>Microsoft recommends that users try and fix the malware by using the System Recovery Console, and then using the "fixmbr" command<<<


Can someone explain to this noob (me) how the fixmbr command would NOT trigger the bootkit's intercept mechanism? :blink:

Edited by Union_Thug, 29 June 2011 - 01:01 PM.


BC AdBot (Login to Remove)

 


#2 lti

lti

  • Members
  • 582 posts
  • OFFLINE
  •  
  • Local time:02:46 AM

Posted 28 June 2011 - 08:54 PM

I would guess that the infected driver is not able to run in the Recovery Console.

#3 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:04:46 AM

Posted 29 June 2011 - 01:03 PM

A pretty valid assumption IMO. Can any BC expert kindly confirm if this is the case?

Thanks,
Thug

Edited by Union_Thug, 29 June 2011 - 01:04 PM.


#4 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:04:46 AM

Posted 29 June 2011 - 08:32 PM

OK I understand that if you become infected your toast but do real time protection suites like Comodo, ESET, etc. stop it before it gets in?

#5 SteveDoom

SteveDoom

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 06 July 2011 - 08:23 AM

I would guess that the infected driver is not able to run in the Recovery Console.


Exactly, any environment whereby the driver is not regularly loaded would likely allow rewriting of the MBR, virus be damned.

#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:03:46 AM

Posted 07 July 2011 - 04:08 PM

Yes, when you use Recovery Console by booting off a Windows DVD or Recovery CD, the malware is not able to load itself. Then you can kill it.
So bootrec/ fixmbr is a good step.

However if you want go further a step, use F-Secure Rescue CD (freely available) and boot from it. It can scan MBR along with other places on your computer.

#7 Union_Thug

Union_Thug

    Bleeps with the fishes...

  • Topic Starter

  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:04:46 AM

Posted 07 July 2011 - 04:46 PM

Thanks to all.

#8 xXAlphaXx

xXAlphaXx

  • Members
  • 867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carlona
  • Local time:04:46 AM

Posted 10 July 2011 - 12:39 PM

But wouldn't it already be loaded in the MBR so when you try a fixmbr command it would read instead of write the new MBR?
If I am helping you and I do not respond within 24 hours, please send me a PM. :)

#9 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:46 PM

Posted 11 July 2011 - 03:38 PM

Hi

Here is a curing tool http://pxnow.prevx.com/antipopureb.exe

Quads

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:46 AM

Posted 11 July 2011 - 05:44 PM

Hi

Here is a curing tool http://pxnow.prevx.com/antipopureb.exe

Quads


It should be noted that this tool is very new, and only works for one particular variant of Popureb. Use at your own risk.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 FluffyPup

FluffyPup

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:SoCal
  • Local time:01:46 AM

Posted 29 July 2011 - 10:36 PM

My computer has gone from slow and sluggish to posessed.

At this point, booting in Safe Mode results in a BSOD. Starts fine in normal mode.

So I volunteered as a test subject for this fix.

Didn't find anything. Didn't harm anything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users