115Views19Replies

Author Options:

Warning, a new and nasty root kit going around Answered


Be sure to make your backups, Microsoft says the only way to fix this one is a reinstall.

http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft?source=CTWNLE_nlt_pm_2011-06-27

However there is a lot of discussion and some say its fixable. Either way its another pain.

Discussions


If you're going to use lines like "Microsoft says", you need to post a link to that.
Otherwise it sounds like one of these junk e-mails that you have to tell everyone about because (someone) says it's the worst thing ever...
Doom laden things like "only way to fix this one is a reinstall" are classic junk-mail "make sure you forward this to everyone" type-stuff.

L

I did
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E


Microsoft is not saying "the only way to fix this one is a reinstall" on that page.

L

No, but they are is essentially saying that (well, recovery from a recovery CD with the warning that a reinstall may be necessary - long story short, you will probably need to lose your current system and reload an earlier version, whether that means from the OS discs or a recovery backup) on this page: (http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx)


That's an interesting bit of technical, thanks.
Again, Microsoft is not saying "the only way to fix this one is a reinstall" on that page, but I'm left thinking that it wouldn't fix the MBR anyway, unless the boot-device was repartitioned in the process?

L

Yeah, it is a bit of hyperbole to say reinstallation is inevitable.

Fixing the mbr is indeed separate from the recovery/reinstall. It's something you do when you boot from the recovery CD - the recovery environment allows you to use fixmbr from the command line. However, I'd have to reread the article to remember if you have to fix the mbr either way, or if you only have to do that if the plain old system recovery from CD didn't work.


I've seen plenty of warnings like this over the last 15 years, including the parodies...

L

What's the most common way of catching this?

Will Norton keep you safe?

"Will Norton keep you safe?"



*wipes tears from eyes* Tell another!

So... what do you recommend to avoid/prevent this trojan?

Sorry - didn't mean to be rude. The idea of Norton protecting my computer from anything more threatening than one of the batch scripts the 6th graders like to write is simply genuinely funny to me, based on the ridiculous stuff it will miss on scans. Norton has burned me before (not my own computer, but a badly-infected one I had to support); I've watched it happily report no problems on obviously infected systems.I simply don't trust it anymore. Sort of the opposite of the boy who cried wolf.

I of course don't know what defense (if any) will be effective against this particular trojan, aside from not using Windows. My 6-second research efforts indicate this one's really nasty (makes sense, after all it's going after the MBR!). For antivirus software on Windows, I'm currently a big fan of Avast! free (although that's always subject to change). I personally won't use Norton, but if you've had good results I guess our anecdotal evidence cancels out. ;) And, of course, keep *any* security software updated - not just external antivirus software, but Windows Defender, Essentials, Forefront, etc.

I have been using Zone Alarm ever since Norton locked up my last computer with it's BLOATWARE......I wouldn't go back if you paid me....

I have Avast on my netbook, purely because it cam pre-installed.

I think I shall add it to my desk-top.

*clapclapclap* Applause for a manufacturer who distributes something other than Norton! :D

From what I have been able to glean this is spread by clicking on attachments to email, downloaded files (probably napster and limewire) and by clicking on buttons to install things on web sites.
A person claimed that this beta program from Microsoft helps to detect it. I don't know, I haven;t tried it. but it shouldn't hurt anything.

https://connect.microsoft.com/systemsweeper

I was not been able to find it mentioned on McAfee site yet, which could mean that they are still working on it. Norton comes up blank also.

The County Library has been using McAfee and so far it has worked good. There was one workstation that had intercepted 72,000 viruses in just 3 months. The patrons click on everything and have no clue what the consequences might be.

The best current course of action seams to be; make good backups and use caution with emails and file transfers. Hopefully the white hats will figure out a way to defeat this one.

I am not sure. Still looking.

Here is Microsofts info on it.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E