MORE ON Trojan:Win32/Popureb,Don't write it, read it instead!

[ferguj1]

The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:

1. It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.
2. Then it hooks the DriverStartIo routine in the found device's DRIVER_OBJECT structure (see the picture below).
   
3. The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".
To find out how to use your system's recovery options, refer to the following articles:

• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

- Chun Feng

 

[wheelo]

Will the full version of AVG (definitions updated) find this, or is there an easy way to know if you have it??, Sorry for being such a spaz, but I am reading this thread and the other one on the same subject, and all I see is gobbledeegook of a technical nature of what it does to hide itself.

Cheers in advance

 

[ferguj1]

This is from the other post:

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

 

[HiTecK]

Cheers Ferg, just made a recovery disc should I need it later 👍

What are the system recovery options in Windows 7? The System Recovery Options menu contains several tools, such as Startup Repair, that can help you recover Windows from a serious error. This set of tools is on your computer's hard disk and on the Windows installation disc.

• You can also create a system repair disc that contains the System Recovery Options menu. For more information, see Create a system repair disc.
• If you use a Tablet PC or other computer with a touchscreen, you might need to connect a keyboard and mouse in order to use Startup Repair and the other tools in the System Recovery Options menu.

The System Recovery Options menu

[video]http://res1.windows.microsoft.com/resbox/en/Windows%207/main/5/b/5bf76f6a-96d6-4624-986a-8287c65c8875/5bf76f6a-96d6-4624-986a-8287c65c8875.wmv[/video]

 

[jodav]

Yet more information on this RootKit is here, the debate seems to go on. Might give the Norton Bootable Discovery Tool mentioned a look at in the next few days, it looks pretty interesting and may be useful regarding this rootkit.