MORE ON Trojan:Win32/Popureb,Don't write it, read it instead!

[ferguj1]

The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

1. It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.
2. Then it hooks the DriverStartIo routine in the found device's DRIVER_OBJECT structure (see the picture below).
   
3. The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
To find out how to use your system's recovery options, refer to the following articles:

• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

- Chun Feng

 

[wheelo]

Will the full version of AVG (definitions updated) find this, or is there an easy way to know if you have it??, Sorry for being such a spaz, but I am reading this thread and the other one on the same subject, and all I see is gobbledeegook of a technical nature of what it does to hide itself.

Cheers in advance

 

[ferguj1]

This is from the other post:

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

 

[HiTecK]

Cheers Ferg, just made a recovery disc should I need it later

What are the system recovery options in Windows 7? The System Recovery Options menu contains several tools, such as Startup Repair, that can help you recover Windows from a serious error. This set of tools is on your computer's hard disk and on the Windows installation disc.

• You can also create a system repair disc that contains the System Recovery Options menu. For more information, see Create a system repair disc.
• If you use a Tablet PC or other computer with a touchscreen, you might need to connect a keyboard and mouse in order to use Startup Repair and the other tools in the System Recovery Options menu.

The System Recovery Options menu

[video]http://res1.windows.microsoft.com/resbox/en/Windows%207/main/5/b/5bf76f6a-96d6-4624-986a-8287c65c8875/5bf76f6a-96d6-4624-986a-8287c65c8875.wmv[/video]

 

[jodav]

Yet more information on this RootKit is here, the debate seems to go on. Might give the Norton Bootable Discovery Tool mentioned a look at in the next few days, it looks pretty interesting and may be useful regarding this rootkit.