Popureb malware can destroy a system install

A rather new, and nasty Trojan nicknamed Popureb looks to be incredibly dangerous, forcing users to wipe their operating system to remove it completely.

Microsoft have issued a warning saying that there is only one way to be sure that it is gone – to wipe all harddrives in a system. Yes, a dreaded clean reinstall. We have read that one user who was infected had to wipe all drives in this system as it was able to pass over an additional file to another non-boot drive in the system before being purged completely.

The latest version Trojan:Win32/Popureb.E has now added a deadly driver component that prevents malicious data from being changed, Microsoft have said in an alert this week.

Popureb holds data in the hard drive master boot record (MBR), a very important sector where code is stored to bootstrap the OS itself. It means it is basically invisible to the operating system, and security software.

Chun Feng, an engineer with the Microsoft Malware Protection Center said “The driver component protects the data in an unusual way, If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.”

So far it seems impossible to remove, according to Feng and Microsoft are advised that if people are infected they will need to wipe their operatnig systems and restore Windows from a DVD.

“If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called ‘fixmbr’.”

Kitguru says: This is seriously bad news and we hope it gets caught soon and stopped from mainstream circulation.

Become a Patron!