128Views19Replies

Author Options:

Warning, a new and nasty root kit going around Answered


Be sure to make your backups, Microsoft says the only way to fix this one is a reinstall.

http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft?source=CTWNLE_nlt_pm_2011-06-27

However there is a lot of discussion and some say its fixable. Either way its another pain.

Discussions

None
lemonie

8 years ago


If you're going to use lines like "Microsoft says", you need to post a link to that.
Otherwise it sounds like one of these junk e-mails that you have to tell everyone about because (someone) says it's the worst thing ever...
Doom laden things like "only way to fix this one is a reinstall" are classic junk-mail "make sure you forward this to everyone" type-stuff.

L

None
Vygerlemonie

Reply 8 years ago

I did
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E

None
lemonieVyger

Reply 8 years ago


Microsoft is not saying "the only way to fix this one is a reinstall" on that page.

L

None
Lithium Rainlemonie

Reply 8 years ago

No, but they are is essentially saying that (well, recovery from a recovery CD with the warning that a reinstall may be necessary - long story short, you will probably need to lose your current system and reload an earlier version, whether that means from the OS discs or a recovery backup) on this page: (http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx)

None
lemonieLithium Rain

Reply 8 years ago


That's an interesting bit of technical, thanks.
Again, Microsoft is not saying "the only way to fix this one is a reinstall" on that page, but I'm left thinking that it wouldn't fix the MBR anyway, unless the boot-device was repartitioned in the process?

L

None
Lithium Rainlemonie

Reply 8 years ago

Yeah, it is a bit of hyperbole to say reinstallation is inevitable.

Fixing the mbr is indeed separate from the recovery/reinstall. It's something you do when you boot from the recovery CD - the recovery environment allows you to use fixmbr from the command line. However, I'd have to reread the article to remember if you have to fix the mbr either way, or if you only have to do that if the plain old system recovery from CD didn't work.

None
Kiteman

8 years ago

What's the most common way of catching this?

Will Norton keep you safe?

None
Lithium RainKiteman

Reply 8 years ago

"Will Norton keep you safe?"



*wipes tears from eyes* Tell another!

None
KitemanLithium Rain

Reply 8 years ago

So... what do you recommend to avoid/prevent this trojan?

None
Lithium RainKiteman

Reply 8 years ago

Sorry - didn't mean to be rude. The idea of Norton protecting my computer from anything more threatening than one of the batch scripts the 6th graders like to write is simply genuinely funny to me, based on the ridiculous stuff it will miss on scans. Norton has burned me before (not my own computer, but a badly-infected one I had to support); I've watched it happily report no problems on obviously infected systems.I simply don't trust it anymore. Sort of the opposite of the boy who cried wolf.

I of course don't know what defense (if any) will be effective against this particular trojan, aside from not using Windows. My 6-second research efforts indicate this one's really nasty (makes sense, after all it's going after the MBR!). For antivirus software on Windows, I'm currently a big fan of Avast! free (although that's always subject to change). I personally won't use Norton, but if you've had good results I guess our anecdotal evidence cancels out. ;) And, of course, keep *any* security software updated - not just external antivirus software, but Windows Defender, Essentials, Forefront, etc.

None
GoodhartLithium Rain

Reply 8 years ago

I have been using Zone Alarm ever since Norton locked up my last computer with it's BLOATWARE......I wouldn't go back if you paid me....

None
KitemanLithium Rain

Reply 8 years ago

I have Avast on my netbook, purely because it cam pre-installed.

I think I shall add it to my desk-top.

None
Lithium RainKiteman

Reply 8 years ago

*clapclapclap* Applause for a manufacturer who distributes something other than Norton! :D

None
VygerKiteman

Reply 8 years ago

From what I have been able to glean this is spread by clicking on attachments to email, downloaded files (probably napster and limewire) and by clicking on buttons to install things on web sites.
A person claimed that this beta program from Microsoft helps to detect it. I don't know, I haven;t tried it. but it shouldn't hurt anything.

https://connect.microsoft.com/systemsweeper

I was not been able to find it mentioned on McAfee site yet, which could mean that they are still working on it. Norton comes up blank also.

The County Library has been using McAfee and so far it has worked good. There was one workstation that had intercepted 72,000 viruses in just 3 months. The patrons click on everything and have no clue what the consequences might be.

The best current course of action seams to be; make good backups and use caution with emails and file transfers. Hopefully the white hats will figure out a way to defeat this one.

None
VygerKiteman

Reply 8 years ago

I am not sure. Still looking.

Here is Microsofts info on it.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E