1 Reply Latest reply on Jul 1, 2011 2:20 PM by Hayton

    Microsoft warning on popureb trojan

    Hayton

      This trojan is known to McAfee as "Generic BackDoor!dhm!0612A7FD9392" (see the Threat Database entry HERE)

       

      According to McAfee it can be cleaned from your system if you have the latest DAT update (6391).

       

      However, Microsoft have issued a warning (see this Microsoft blog entry) that this trojan can install a rootkit, which may require you to run a tool to fix the MBR (Master Boot Record) before you can get rid of the infection from your system.

       

      Some early reports stated that it would be necessary to reformat your hard disk and completely reinstall Windows. This may not now be required -

      Update 6/28/2011:
      A clarification was made to the blog content concerning remediation efforts for the malware mentioned.

       

      But until someone with this trojan posts a report or request for help we won't know if that is still the case.

        • 1. Re: Microsoft warning on popureb trojan
          Hayton

          Microsoft clarifies MBR rootkit removal advice

           

          There is a follow up to the above post. While some malware researchers believe that it may be possible to remove this rootkit infection by overwriting the MBR and then running an AV scan, one researcher at least is not so sure. And Microsoft have changed their earlier postion slightly.

          Joe Stewart, director of malware research at Dell SecureWorks, said that reinstalling Windows was the only way to insure that MBR rootkits and the additional malware they install are completely removed.

          "Once you're infected, the best advice is to [reinstall] Windows and start over," said Stewart. "[MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position."

          Marco Giuliani, the Webroot threat research analyst who published his own analysis of Popureb, cautioned that users may end up having to reinstall Windows after all.

          "What is really a nightmare is that [Popureb] looks like it has bugs and sometimes it hangs the system during the reboot stage," Giuliani wrote on the Webroot blog. "This could become a problem that would require you to perform a full system reinstall."

          In a follow-up statement today, Microsoft seemed to acknowledge that users could encounter problems with the MMPC advice, and may need to restore their PC from a recent backup.

          "Microsoft recommends that customers whose systems are infected with Trojan:Win32/Popureb.E, contact Microsoft PCSafety, who can help them identify and remove malware from their systems," said Jerry Bryant, general manager of with Microsoft's Trustworthy Computing group, in an e-mailed statement. "While using the recovery console to address Master Boot Record (MBR) issues is not designed to affect personal files, we continue to recommend customers practice reasonable back-up processes."

           

          Message was edited by: Hayton on 01/07/11 20:20:18 IST