Microsoft has discovered a new variant on a bootkit so malicious that Microsoft's original recommended solution was to reinstall Windows from a recovery CD.
In a recent blog post on TechNet, Chun Feng, an engineer with the Microsoft Malware Protection Center, warned that users will have to roll back Windows via a recovery CD if they are infected with what it refers to as Popureb.E, which now includes a driver component that triggers at boot time.
But Microsoft corrected itself later to note that what really needs to be done is to open a Windows Recovery Console and fix the Master Boot Record.
What remains unchanged is Popureb.E's capabilities. The malware is clever enough to identify the actual physical startup disk, and it infects an operation called DriverStartIO, according to the Microsoft blog post.
What it does there is even more ingenious. "If it finds the write operation is trying to overwrite the MBR [Master Boot Record] or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.
In other words, antivirus software that attempts to remove the virus be overwriting the MBR will be intercepted, and the write command replaced with a read command.
Microsoft's definitions page, however, claims that its most recent malware definitions (dating to June 21) at least detect Popureb.E.
