In a recent blog post on TechNet, Chun Feng, an engineer with the Microsoft Malware Protection Center, warned users that the "bootkit malware "Trojan:Win32/Popureb.E" has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed,"
The driver component protects the data in an unusual way - by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys).
Feng advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state, if your system is infected with Trojan:Win32/Popureb.E.
To fix the MBR:
- Open a Windows Recovery Console
- For Windows XP: Installing and using the Recovery Console in Windows XP
- For Windows Vista: System Recovery Options in Windows Vista
- For Windows 7: System Recovery Options in Windows 7
- Use the tool BOOTREC.exe to fix the MBR as in: bootrec.exe /fixmbr
More information about using the tool BOOTREC.exe available here.
- Restart the computer and you can then scan the system to remove any remaining malware.
If you opt to use Windows Restore to remove the malware instead, you must still fix the MBR first, and then restore the system.
Symante's Vikram Thakur added, existing Symantec tools will fix the problem.
"We have found that it is not necessary to reimage a machine in order to repair," Thakur wrote. "Symantec detects this threat and Norton customers can use Norton Bootable Recovery Tool (NBRT) to boot up and NBRT will clean their computers. The helps fix computers infected with threats that embed themselves deeply into the computer's operating system. It helps restore the computer to normal working order."
You can download NBRT here.