The Popureb Trojan bootkit malware Trojan:Win32/Popureb.E
Status: Site Admin
Joined: 26 Sep 2003
Posts: 4126
Location: East Coast, West Coast? I know it's one of them.
Reply Quote
I don't often post on trojan/rootkits, but this one got my attention because Microsoft themselves say the only way to safely get rid of it is to reinstall windows, basically.

Now, before you go and do that, make sure to check out the live antivirus/rootkit CDs that are now on the market, those run with windows off, which fixes some of this, depending on how the attack is done. Get our list of AV live cds before you start.

Here's the story that got my attention, MS advises drastic measures to fight hellish Trojan, which comes out of an MS seccurity blog posting, Don’t write it, read it instead!. Note that TheRegister didn't update their story, MS changed the advice to simply fixing the MBR, then running AV tools on the system. Most good livecd AV tools should be able to do this for you.

Good stuff there:
:: Quote ::
The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys).

Back to top
Display posts from previous:   

All times are GMT - 8 Hours