Microsoft advice to clean vicious Trojan: Kill your computer to save it

Achilles from Troy.jpgPhoto credit: The Internet Movie Database

Microsoft issued some very bottom-line advice for users hit with an unusually virulent and persistent bit of malware called the Popureb-E Trojan: Strip down the OS and reinstall it.

Popureb infects the Master Boot Record (MBR), then installs other components on the hard drive and lists them within the MBR not as data or applications, but as separate disk sectors.

[Also see: Big botnets and how to stop them]

Then it adds a driver component that keeps its changes from being deleted again.

The malware hooks into the DriverStartIo subroutine that monitors disk write operations; if there is an attempt to overwrite the malicious code or other components, the MBR component changes the Write operation to a Read operation.

That makes the scrubbing look as if it succeeded, but none of the changes are written to disk, so the Trojan and its various components stay right where they are.

Microsoft advises using the FixMBR utility within System Recovery Console to get rid of the trojan.

It apparently works, but TheRegister points out that using FixMBR before using a recovery disk will strip out all the applications and associated data already installed.

Running the utility without realizing you were actually wiping the whole disk would be a nasty surprise if you didn't know that ahead of time and back up all your data.

Nasty infection, nasty cure.

Microsoft's advice for preventing the infection is pure boilerplate: Add a firewall, keep your OS and AV updated, limit user privileges, use caution when clicking on links to Web pages.

Microsoft antivirus recognizes the malware, but the list of symptoms Microsoft offers to help you do it yourself isn't exactly conclusive:

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    %windir%\mgr.exe
  • The presence of the following registry modification:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Sets value: "qQ"

    With data: "%windir%\mgr.exe"

Just remember to make a backup before you do anything else.

What’s wrong? The new clean desk test
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies