Windows 7 Microsoft's Answer to Vicious Malware

#1
Microsoft has discovered a new variant on a bootkit so malicious that Microsoft's original recommended solution was to reinstall Windows from a recovery CD.

In a recent blog post on TechNet, Chun Feng, an engineer with the Microsoft Malware Protection Center, warned that users will have to roll back Windows via a recovery CD if they are infected with what it refers to as Popureb.E, which now includes a driver component that triggers at boot time.
But Microsoft corrected itself later to note that what really needs to be done is to open a Windows Recovery Console and fix the Master Boot Record.

What remains unchanged is Popureb.E's capabilities. The malware is clever enough to identify the actual physical startup disk, and it infects an operation called DriverStartIO, according to the Microsoft blog post.

What it does there is even more ingenious. "If it finds the write operation is trying to overwrite the MBR [Master Boot Record] or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

In other words, antivirus software that attempts to remove the virus be overwriting the MBR will be intercepted, and the write command replaced with a read command.

Microsoft's definitions page, however, claims that its most recent malware definitions (dating to June 21) at least detect Popureb.E.
Source: http://www.pcmag.com/article2/0,2817,2387752,00.asp

As you might notice, in the full article title, Microsoft also says to "Re-install Windows", which was Microsoft's original recommendation.
Reading the full article, you will note that, nowhere, does it say you have to re-install Windows, although sometimes that may not be a bad idea, certainly short and sweet and 100% effective on ridding malware/viruses.
The article fully explains how to rid this malware or you can use a Linux Live CD, after manually deleting the virus files that hide in the users AppData folders.

Don
 


Last edited:
This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.