Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Windows Technology

Microsoft Says Reinstall Overkill In Removing Rootkit 203

Posted by timothy from the try-this-handy-therapeutic-coma dept.
CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."
This discussion has been archived. No new comments can be posted.

Microsoft Says Reinstall Overkill In Removing Rootkit More

Microsoft Says Reinstall Overkill In Removing Rootkit

Comments Filter:

  • a 'gotcha,' when it was misreported to begin with (Score:5, Informative)

    by jcombel ( 1557059 ) on Thursday June 30, 2011 @05:42PM (#36628146)

    ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:

    "'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

    the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").

  • Eyeroll (Score:5, Informative)

    by goodmanj ( 234846 ) on Thursday June 30, 2011 @05:47PM (#36628206)

    MBR rootkit malware is among the most advanced of all threats.

    So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.

    http://www.f-secure.com/v-descs/brain.shtml [f-secure.com]

  • Is the MBR really clean? (Score:4, Informative)

    by Skapare ( 16644 ) on Thursday June 30, 2011 @05:54PM (#36628292) Homepage

    The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.

  • Comment removed (Score:3, Informative)

    by account_deleted ( 4530225 ) on Thursday June 30, 2011 @08:45PM (#36629660)
    Comment removed based on user account deletion

Slashdot Top Deals

You knew the job was dangerous when you took it, Fred. -- Superchicken

Close