On 29 June, 2011 Microsoft clarified its stand on the advice that it had given to its users on the usage of Windows computer that were infected by a new kind of rootkit. This malware is known to embed itself on the boot sector of the hard drive.
Many researches who deal with the internet security agreed with the Microsoft’s advice. However, a notable botnet expert expressed his doubt on the advice given by Microsoft.
In fact, a few days ago the Microsoft Malware Protection Center (MMPC) managed to find a new Trojan called Popureb and mentioned in its report that the easiest method to get rid of it is by the usage of recovery disc.
According to him, the recovery disc requires Windows to move to its factory settings; therefore it has asked its users to reinstall Windows in their PC’s to clean it up.
The advice given by Microsoft is quite similar to the one it had given over a year ago when another Trojan had hit its operating system.
Therefore, to make a clarification on the advice of Microsoft, Chun Feng an engineer at MMPC on Wednesday in his blog quoted, “If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state.”
The engineer also provided links to the instructions that could be used for the recovery of Windows XP, Windows 7 and Vista.
Adding further, Feng told the Windows users that once they have removed the MBR from the system, they can run any antivirus on it for extra protection.
Actually, it is not only difficult to detect the Popureb rootkit but it is even more difficult to detect it in the system. Rootkit is extremely difficult to identify it because it overwrites on the hard drive. Moreover, it also hides itself on the MBR making it difficult to find its existence. In addition, if any other malware attacks the system, it conceals that too on the MBR, and thus becomes ghostly for not only OS but for the security software as well.
According to researchers, the Popureb is one of the biggest threats to Windows in the present times. As a matter of fact, many software security firms have also raised their voice against the Microsoft’s advice.
Vikram Thakur, principal security response manager with Symantec in an interview told “Reinstalling is definitely overkill for this malware problem. It can be resolved simply by fixing the MBR via an external disk.”
Symantec also offered a tool to the users, named “Norton Bootable Discovery Tool” that can help the Windows users.
The tool works in a specific manner as follows: the free download of the tool helps in creating a boot disc that starts up the PC without accessing the hard drive. Thus it works without loading the infected MBR. As soon as the Windows machine boots while utilizing the recovery disc, the tool downloads new malware signatures. The digital “fingerprints” of the antivirus software is used to detect threats and identifies the malware, thus cleaning up the MBR.