topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday December 16, 2024, 4:13 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: New Windows trojan variant requires a System Restore to fix  (Read 4209 times)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
This in from TechSpot (emphasis added)

Trojan requires infected Windows users do a System Restore
By Jose Vilches, TechSpot.com
Published: June 28, 2011, 12:00 PM EST
windows, trojan, malware,

Microsoft has warned of a new malware threat affecting Windows users that can only be completely removed by restoring the system to a previous state or wiping it altogether. According to Redmond, the culprit is the latest variant of a Trojan known as "Popureb" (specifically, Trojan:Win32/Popureb.E), which stores part of its data in the hard drive’s master boot record (MBR) and introduces a driver component to prevent the malicious code from being changed.

.
.
.

Not many details are available as to what symptoms infected machines are seeing, but its previous iteration, Trojan:Win32/Popureb.B, displays advertisements and modifies user's Internet Explorer start page.

Microsoft's antivirus engine will detect the threat. However, Feng says that those already infected will have to fix the MBR using the System Recovery Console and a command called "fixmbr", then proceed to use a recovery CD to restore the system to a pre-infected state. Recovery options for XP, Vista and Windows 7 users are detailed here:


Link to full article here.

Confirmed with Microsoft:


The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

   1. It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.
   2. Then it hooks the DriverStartIo routine in the found device's DRIVER_OBJECT structure (see the picture below).

   3. The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

To find out how to use your system's recovery options, refer to the following articles:

    * For Windows XP: Installing and using the Recovery Console in Windows XP
    * For Windows Vista: System Recovery Options in Windows Vista
    * For Windows 7: System Recovery Options in Windows 7

- Chun Feng


Link to above Microsoft article here.

Y'know, every time I consider the type of person who would write something like this, I can't help but think:

Payback.jpg

 8)

« Last Edit: June 28, 2011, 02:19 PM by 40hz »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: New Windows trojan variant requires a System Restore to fix
« Reply #1 on: June 29, 2011, 11:12 PM »
Y'know, every time I consider the type of person who would write something like this, I can't help but think:
 (see attachment in previous post)
 8)

+1

That's an extremely nasty one. Jeez...

Why can't people just, y'know, like get a job? Or put their efforts into something constructive. It is possible to make a living without hurting people... Sigh...

-- I love the demotivational there~!
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker