Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows RootKit that requires re-install

Status
Not open for further replies.
Aside from the assumption that if you have this malware you have others, too, why reinstall?

Why not boot Linux from a CD or write-protected flash drive and fix the MBR from there?


Want to ask the best questions? Read Eric S. Raymond's essay "How To Ask Questions The Smart Way". TANSTAAFL!
 
Nobody provides a description of the symptoms when you have this rootki AND/OR how you know you've got it?!
 
It appears that this was in reference to the Trojan:Win32/Popureb.E

Here is a link to an updated article, where apparently MS is at least partially reversing their initial position on reformatting.

Here is another, blog, entry from one of their people.

Lastly, here is the slashdot reference.
 
Didn't anyone mention something like a BartPE CD with Mcafee plug-in that should be able to look at the MBR and identify the infection?

Or are they just giving the simple advice (reload or fix MBR) to non-technical users as an over-simplified solution?
 
Or are they just giving the simple advice (reload or fix MBR) to non-technical users as an over-simplified solution?/

I think you may be right. I think that the actual advice was to replace / repair the MBR and then restore the system to a pre-infection state. IIRC, there was a comment about using system restore or something like that returning the system to the initial state.

The big difficulty, as I see it, is that for the average user, finding a means of starting the system without using the MBR could be tricky. This malware takes advantage of the fact that most systems have a "restore" partition rather than bootable write-only media. Unless the access of the restore is before the MBR, it will be impossible to restore it.

In my opinion, writing to the MBR definitely falls into the "root level" compromise category. With any root level compromise, it is impossible to guarantee that you have cleaned the system and removed the infection. Consequently, a restore to a pre-infection state that completely overwrites the system is necessary.
 
But booting from some other type of bootable device is enough to allow full removal, right?!
 
Theoretically, I guess so. But if they had access to the MBR what other presents did they hide?
 
I don't know, but I guess I'm not as worried about wiping out other stuff as long as the MBR is clean.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top