A new variant of the Trojan Popureb burrows deep enough into the Windows operating system that users are recommended to reinstall the OS in order to remove it, or by fixing the master boot record, Microsoft said.
The "Popureb" Trojan corrupts the hard drive's master boot record to such an extent that the only way to remove it is to run Windows Recovery Console to rewrite the sectors to a clean state, Microsoft Malware Protection Center engineer Chun Feng wrote in an advisory posted on the Threat Research and Reponse blog June 22.
The Trojan was updated recently with the driver component that makes sure the malware can never be modified by an external process, according to Feng. The component accesses the DriverStartIO routine in the device driver to execute itself.
Trojan:Win32/Popureb.E overwrites the first sector on the hard drive so that it triggers at boot time. MBR is generally invisible to both the operating system and security software. To ensure it can't easily be removed, Popureb can intercept all commands to overwrite the MBR or any other part of the hard drive where the malware is installed and replace those commands with a read command. The operation appears to succeed and no errors are thrown, but no new data is actually written to the disk. This means that if a security software attempts to remove the malware, it fails automatically because it can't overwrite the MBR or the infected sector.
Most members of this particular malware family are fake antivirus software, but this variant "might be a little more severe, Symantec said, but pointed out that this Trojan doesn't do anything that "Trojan.Tidserv doesn't already do." The company has asked Microsoft for the sample to analyze further, according to the statement.
The "Popureb" Trojan corrupts the hard drive's master boot record to such an extent that the only way to remove it is to run Windows Recovery Console to rewrite the sectors to a clean state, Microsoft Malware Protection Center engineer Chun Feng wrote in an advisory posted on the Threat Research and Reponse blog June 22.
The Trojan was updated recently with the driver component that makes sure the malware can never be modified by an external process, according to Feng. The component accesses the DriverStartIO routine in the device driver to execute itself.
Trojan:Win32/Popureb.E overwrites the first sector on the hard drive so that it triggers at boot time. MBR is generally invisible to both the operating system and security software. To ensure it can't easily be removed, Popureb can intercept all commands to overwrite the MBR or any other part of the hard drive where the malware is installed and replace those commands with a read command. The operation appears to succeed and no errors are thrown, but no new data is actually written to the disk. This means that if a security software attempts to remove the malware, it fails automatically because it can't overwrite the MBR or the infected sector.
Most members of this particular malware family are fake antivirus software, but this variant "might be a little more severe, Symantec said, but pointed out that this Trojan doesn't do anything that "Trojan.Tidserv doesn't already do." The company has asked Microsoft for the sample to analyze further, according to the statement.
RSS Feed
