[BartSimpson]

I sent the following out to my workplace just now and it is worth sharing:

Quote:

The ISO has notified us of the advent of a new malware that loads a very serious Trojan Horse variant that’s been dubbed Popureb.

Microsoft is acting to help detect this Trojan by various means and one of those means is that computers infected with this rootkit will not install Microsoft Updates.

If you come across a computer that does not allow updates to run or if you come across an anti-virus warning regarding Popureb then the protocol recommended by Microsoft is to wipe the hard drive and load a fresh operating system. There is no recommended means of successfully removing this rootkit.

http://www.pcworld.com/article/231255/r ... osoft.html

FYI: 'ISO' = Information Security Office

[DrCaleb]

That sounds like a nasty one. It would have been nice if they gave a little blurb on how to prevent it from infecting a system, but I know sometimes that is impossible. Short of pulling the network cable.

[Praxius]

I know my old Vista computer back in Canada stopped downloading & installing a few updates (not all mind you) ..... but that started a year or more ago.

My new Windows 7 system doesn't seem to have any issues.

They have no way of actually removing it?

That's a little hard to believe. Every virus or spyware consists of files on the hard drive located somewhere that can be removed, or renamed and then removed via safe mode. All one needs to do is know which files they are so they can find them. I have yet to see a virus I couldn't remove on my own. And if they copy over a system file, delete it, restart, pop your disc in and do a repair to copy over a new one.

There's all sorts of ways so long as the files are identified..... at least in my personal experience thus far.

Quote:

..... Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

According to Feng, Popureb detects write operations aimed at the MBR -- operations designed to scrub the MBR or other disk sectors containing attack code -- and then swaps out the write operation with a read operation.

Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed......

Yeah, I had a few viruses or spyware that anti-virus and spyware scans couldn't remove, which made me learn how to find the file myself and deal with it myself..... I got so fed up in the past having to reformat over and over again.

Quote:

..... "If customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk,".....

T'hell with that, tell me exactly what files are infected.

Added:

Though to admit, I'm not too familiar with the MBR.

[DrCaleb]

Praxius wrote:

That's a little hard to believe. Every virus or spyware consists of files on the hard drive located somewhere that can be removed, or renamed and then removed via safe mode. All one needs to do is know which files they are so they can find them.

It's not that hard to believe. The reason you can remove them is because the OS is still functional. If the Root Kit usurps the OS executables, you no longer have the control needed to remove them. They are in control. Kind of the definition of a 'root kit'.

Windows has long been the subject of root kit development. Many 'hackers' can take over your computer on a whim, with out you knowing by taking advantage of unpatched holes in the OS. The difference here is that the infection spreads by itself. The way to keep them out has always been a tiered defence, ie: they have to get past network security and firewalls with fewer holes in them before being able to get to the OS. And the fact that they had to hack you one at a time.

[bootlegga]

Thanks for the heads up Bart.

I bet that is the one that hit me a few weeks back.

As soon as my new CD recovery set comes in the mail, this little bastard is gonna fry!

[BartSimpson]

You're most welcome, Boot!