Microsoft Updates Rootkit Removal Plan

Tuesday, July 5, 2011 @ 05:07 PM gHale


Users are getting a clearer picture now that Microsoft clarified the advice it gave to those whose Windows PCs were hit with a new, sophisticated rootkit that buries itself on the hard drive’s boot sector.

Just last week, the Microsoft Malware Protection Center (MMPC) highlighted a new Trojan, dubbed “Popureb,” and said the only way to eradicate the malware was to use a recovery disc.

RELATED STORIES
‘Indestructible’ Botnet Making Rounds
Botnet Detection via a Smart DNS
Mariposa Botnet on Comeback Trail
Demographics for Infected PCs

Because a recovery disc returns Windows to its factory settings, Microsoft was essentially telling users they needed to reinstall Windows to completely clean an infected PC.

That recommendation was similar to what Microsoft had offered more than a year ago, when another Trojan buried rootkit code into the master boot record (MBR) of the PC’s hard drive.

On Wednesday, MMPC engineer Chun Feng clarified Microsoft’s advice.

“If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,” Feng wrote on a blog.

Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7.

Once you scrub the MBR, users can run antivirus software to scan the PC for additional malware for removal, Feng said.

Malware like Popureb is especially difficult to detect and delete once it’s on a system because it overwrites the hard drive’s MBR, the first sector — sector 0 — where code stores to bootstrap the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit installed by Popureb makes not only itself, but any follow-on malware installed by it later, invisible to the operating system and security software.

MBR rootkit malware is among the most advanced of all threats, researchers said about a family, called “TDL-4,” a bot whose collection of compromised computers they called “practically indestructible.”

In a follow-up statement today, Microsoft seemed to acknowledge that users could encounter problems with the MMPC advice, and may need to restore their PC from a recent backup.

“Microsoft recommends that customers whose systems are infected with Trojan:Win32/Popureb.E, contact Microsoft PCSafety, who can help them identify and remove malware from their systems,” said Jerry Bryant, general manager of with Microsoft’s Trustworthy Computing group, in an e-mailed statement. “While using the recovery console to address Master Boot Record (MBR) issues is not designed to affect personal files, we continue to recommend customers practice reasonable back-up processes.”



Leave a Reply

You must be logged in to post a comment.