Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Says Reinstall Overkill In Removing Rootkit

Posted by timothy on from the try-this-handy-therapeutic-coma dept.

CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."

4 of 203 comments (clear)

  1. a 'gotcha,' when it was misreported to begin with by jcombel · · Score: 5, Informative

    ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:

    "'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

    the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").

  2. Eyeroll by goodmanj · · Score: 5, Informative

    MBR rootkit malware is among the most advanced of all threats.

    So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.

    http://www.f-secure.com/v-descs/brain.shtml

  3. Is the MBR really clean? by Skapare · · Score: 3, Informative

    The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.

    --
    now we need to go OSS in diesel cars
  4. Re:When in doubt... by hairyfeet · · Score: 2, Informative

    I'll answer that...don't load the taskbar with always running crapola, don't use IE, have a decent AV like Avast Free that doesn't suck resources like a Bangkok whore sucking Japanese businessmen, and finally and most importantly use a decent tool to keep the registry cleaned of leftover third party cruft.

    I recommend Tuneup Utilities, as it has some excellent features like Turbo mode for gaming, a process monitor that will keep a program from slamming your CPU to 100% and making the machine unresponsive, and unless you tell it not to its one click maintenance will run silently once every three days to clean the cruft and ensure the health of the machine, such as checking for fragmentation. That said if you balk at paying a whole $30 for a program that takes all the work out of it there is WinUtilities Free or Glary Utilities, but neither of those are full featured or automatic, as automatic cleaning is only for those that buy the pro versions, which if you are gonna pay tuneUp IMHO has the better tools.

    So there you go. Follow the above along with keeping your machine updated with WU and you're good to go, your Windows PC will remain clean and fresh smelling and will NOT need any annual reinstalls.

    That said if a machine is completely pwned like TFA nuking from orbit is the ONLY way to be sure, but I've found if you follow the above (Both Avast Free and Comodo IS Free have JavaScript scan before load and sandboxing, so either choice will work. I prefer Avast as its less fiddly than Comodo and I like not having to fiddle) and have a decent AV like Avast or Comodo only the most herp derp PEBKAC bullshit will cause you to get infected.

    I have had exactly ONE customer get infected after following the above (and I ended up having to tell him to take his business elsewhere as he refused to listen and became belligerent) and that was because he 1.-first tried to disable the AV and then when he couldn't he 2.-uninstalled the AV, all so he could get the "new Limewire" which I had already told him was nothing but a Trojan package. Well he got it alright, more than 70 infections. He actually had the balls to get mad and try to demand a free repair becuase he said the AV must be defective since it wouldn't let him install Limiewire. Finally I said "Look dumbass, you tried to install A VIRUS. The whole POINT of an AV is to keep viruses OFF the PC, not let them on because you like the name of the virus, moron."

    So a little common sense and the above instructions will keep your PC running for the life of the machine. The only work I have to do on those that follow my instructions above is the occasional hardware upgrade and I have several that have been running in the field for over 7 years, same install.

    --
    ACs don't waste your time replying, your posts are never seen by me.