Microsoft advice to clean vicious Trojan: Kill your computer to save it


Microsoft issued some very bottom-line advice for users hit with an unusually virulent and persistent bit of malware called the Popureb-E Trojan: Strip down the OS and reinstall it.

Popureb infects the Master Boot Record (MBR), then installs other components on the hard drive and lists them within the MBR not as data or applications, but as separate disk sectors.

[Also see: Big botnets and how to stop them]

Then it adds a driver component that keeps its changes from being deleted again.

The malware hooks into the DriverStartIo subroutine that monitors disk write operations; if there is an attempt to overwrite the malicious code or other components, the MBR component changes the Write operation to a Read operation.

That makes the scrubbing look as if it succeeded, but none of the changes are written to disk, so the Trojan and its various components stay right where they are.

Microsoft advises using the FixMBR utility within System Recovery Console to get rid of the trojan.

It apparently works, but TheRegister points out that using FixMBR before using a recovery disk will strip out all the applications and associated data already installed.

Running the utility without realizing you were actually wiping the whole disk would be a nasty surprise if you didn't know that ahead of time and back up all your data.

Nasty infection, nasty cure.

Microsoft's advice for preventing the infection is pure boilerplate: Add a firewall, keep your OS and AV updated, limit user privileges, use caution when clicking on links to Web pages.

Microsoft antivirus recognizes the malware, but the list of symptoms Microsoft offers to help you do it yourself isn't exactly conclusive:

The following system changes may indicate the presence of this malware:

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question