Monday, June 27, 2011

Popureb.E does not sound fun

ComputerWorld linked to a Microsoft post about a particularly nasty trojan.

The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed.

"MBR" stands for "master boot record." After discussing some technical details about the trojan, author Chun Feng offers this sobering advice.

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

One clarification was posted here:

Other news outlets are misrepresenting the advice as Microsft saying you need to reformat/reinstall, but it seems that MBR repair and system restore will do the trick.

Personally, though I know it's possible to restore a system without reformatting, I'd still recommend a complete disk wipe and reinstall in a situation like this.

However, Microsoft offers protection against this trojan. I'm not sure if other security companies are offering anything.
blog comments powered by Disqus