September 28, 2016

Popureb.E Rootkit Stops MBR From Being Restored

The Microsoft Malware Protection Center has posted a blog about a variant of the Win32/Popureb.B Trojan tagged Popureb.E which has a driver to protect its malicious MBR and other data it stored on disk from being changed.

The result of these changes is that if your system becomes infected the MBR will need to be fixed from the System Recovery Console with the “fixmbr” command. Then the PC needs to be restored to a pre-infected state using the a recovery CD.

The way Popureb.E protects itself on the MBR is by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

To find out how to use your system’s recovery options, please read the following Microsoft articles: