Tuesday, August 9, 2011

Symantec's response to Popureb.E, or Alworo, or whatever you want to call it

Back in June, I wrote a post entitled Popureb.E does not sound fun. Sourced from Microsoft, my post on the Master Boot Record (MBR) infection concluded as follows:

However, Microsoft offers protection against this trojan. I'm not sure if other security companies are offering anything.

To set the record straight, Symantec does have a response to Popureb.E. This was written back in June:

We've done our own analysis, and as Microsoft indicates, it certainly is a nasty piece of work. Popureb.E (as dubbed by Microsoft) is very similar to other MBR-infecting threats we’ve seen in the past, which leads us to believe it’s either an evolution of an existing threat from the person who wrote the initial MBR-infecting code, or it’s been sold in the underground economy and someone is using the code....

As it turns out, it isn't actually necessary to reimage a machine in order to repair it. Symantec detects this threat and will block it from infecting a computer. If the computer is already infected, the Norton Bootable Recovery Tool (NBRT) can be used to boot up the computer and NBRT will remove the threat. The NBRT helps to fix computers that are infected with threats that embed themselves deep into the operating system, restoring the computer to normal working order. Note that customers running enterprise versions of Symantec products will have different options available to them.

To be fair to Microsoft, their article (as it stood when I read it earlier today) didn't actually advocate reinstalling the OS. Using the Windows Recovery Console to repair the MBR does not necessitate wiping the boot drive clean of applications and data. System Restore will of course roll your system back to a previous state, and although you may lose some recent data, that doesn't wipe your boot drive....

Oh, and for anyone who was wondering how Symantec detects this threat, there are two main components involved with this particular piece of malware. The initial dropper of the threat is detected as Trojan.Alworo and the MBR infector is detected as Boot.Alworo. Be sure to keep your definitions up to date, install product and OS updates as soon as they are released, and most importantly, back your data up. It’s too late to insure your house once it’s burned to the ground.

It's interesting to note that Symantec and Microsoft refer to this by different names. Microsoft's "Popureb.E" is Symantec's "Alworo." I still don't know what McAfee calls it.

For more on Symantec's response to what they call Alworo, see the post Are MBR Infections Back in Fashion? Excerpt:

As with any malware infections, the key is to not get infected in the first place. Symantec has been quick to add detection for such malware whenever they are discovered (so keep your detections up-to-date) and we also offer various tools that can help to remove them. For MBR infecting threats, a simple way to disable the malware is to boot up with a bootable CD and then run “fixmbr” which will restore the MBR to a default setting. This will stop the MBR based malware from executing. For other more tricky threats you can try tools such as the Norton Boot Recovery Tool.

Be sure to read the rest of Symantec's post, which points out that there is nothing new under the sun.
blog comments powered by Disqus