Microsoft: New "Popureb" Rootkit Requires Windows Re-Install

Rootkit infection requires Windows reinstall, says Microsoft
http://www.computerworld.com/s/artic...?taxonomyId=85

There is a discussion about this over at dslreports. http://www.dslreports.com/forum/r260...says-Microsoft
Several feel the Microsoft approach has contradictions in it and may be an over reaction??

Looks like a good case for DBAN and doing a clean install alright.

Hope they figure out something better. :( :( :mad:

Quote:

---

Originally Posted by HAN

There is a discussion about this over at dslreports. http://www.dslreports.com/forum/r260...says-Microsoft
Several feel the Microsoft approach has contradictions in it and may be an over reaction??

---

Thanks for the link HAN. Looks interesting.

Quote:

---

Originally Posted by Train

Looks like a good case for DBAN and doing a clean install alright.

Hope they figure out something better. :( :( :mad:

---

Yep, I hope so too.

--

CMRR - Secure Erase

(Better & faster than DBAN, Killdisk etc.?)

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Read the enclosed .doc and .txt files

Where from you can get such a nasty ? Is there a way to prevent getting it ?

Quote:

---

Originally Posted by Ricardo Dávidow

Where from you can get such a nasty ? Is there a way to prevent getting it ?

---

This nasty is a trojan. To quote McAfee:

Quote:

---

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

---

Thanks, HAN.

Quote:

---

Originally Posted by SpywareDr

CMRR - Secure Erase

(Better & faster than DBAN, Killdisk etc.?)

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Read the enclosed .doc and .txt files

---

Thanks, that is a new one to me.

You're welcome. :)

Quote:

---

Feng provided links to MBR-fixing instructions for XP, Vista and Windows 7

---

Does that work? Or is a fresh installl the only solution?

If your back up image includes the MBR; why would you need to do a fresh install? Restoring the image would also restore the clean MBR. Am I not understanding something?

Quote:

---

If your back up image includes the MBR; why would you need to do a fresh install? Restoring the image would also restore the clean MBR. Am I not understanding something?

---

If the imaging program overwrites the MBR with either a clean one, it should work. (Of course, the option to overwrite the infected MBR should be explicit during the restore. Some imaging programs don't make this distinction and if it's not clear that it's being replaced, I don't think the user should make the assumption it has been replaced.)

This is part of the reason I posted the link to the discussion over at dslreports. Several there felt the posting by MS was spreading at least some FUD. And to a degree, I think it is myself...

Quote:

---

Originally Posted by Steve R Jones

Does that work? Or is a fresh installl the only solution?

---

Since you are working on the DOS side one would think it would work, but no link(s), and again, how many folks even know what I am talking about?

Quote:

---

Originally Posted by HAN

If the imaging program overwrites the MBR with either a clean one, it should work. (Of course, the option to overwrite the infected MBR should be explicit during the restore. Some imaging programs don't make this distinction and if it's not clear that it's being replaced, I don't think the user should make the assumption it has been replaced.)

This is part of the reason I posted the link to the discussion over at dslreports. Several there felt the posting by MS was spreading at least some FUD. And to a degree, I think it is myself...

---

I agree. I like to have the entire drive cloned, which makes things easy if drive failure occurs.

Are you sure your backup isn't infected? A good rootkit hides itself, so that the PC owner won't even suspect that it's infected.

For example, TDSS is running on a ~4.5 million (and growing) PC botnet in the U.S. alone.

The news article is misleading...

http://blogs.technet.com/b/mmpc/arch...t-instead.aspx

Rocketmech

I like this part. They even have the links.

If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.


To fix the MBR:

1. Open a Windows Recovery Console
• For Windows XP: Installing and using the Recovery Console in Windows XP
• For Windows Vista: System Recovery Options in Windows Vista
• For Windows 7: System Recovery Options in Windows 7

More over-hyped nonsense here:

http://www.bbc.co.uk/news/technology-13973805

It's become "indestructible" now :rolleyes:

Quote:

---

Originally Posted by SpywareDr

Are you sure your backup isn't infected? A good rootkit hides itself, so that the PC owner won't even suspect that it's infected.

For example, TDSS is running on a ~4.5 million (and growing) PC botnet in the U.S. alone.

---

It would need to get installed/executed on my windows system; and I can't see that happening, at least not easily.

Well that didn't take too long... http://hitmanpro.wordpress.com/2011/...s-popureb-e-2/

Someone bigger always comes along... :)


The rootkit is not the big deal , it's the clueless who are propagating the botnet. 4.5 million idiots ? really ? :rolleyes:

Quote:

---

Originally Posted by Rocketmech

Well that didn't take too long... http://hitmanpro.wordpress.com/2011/...s-popureb-e-2/

Someone bigger always comes along... :)


The rootkit is not the big deal , it's the clueless who are propagating the botnet. 4.5 million idiots ? really ? :rolleyes:

---

It's one of the reasons that my wife has linux on her laptop. So many of her friends get infected with every nasty that comes along, and she continually gets things sent to her from them. Having linux gives her an added bit of safety if she should ever click on one of the nasty links that they send her.