There is a new rootkit trojan called “Popureb” that Microsoft says will require you to reinstall your operating system to completely remove this rootkit.
[Update: Microsoft now advises using the Windows Recovery Console, however many security experts still advise a complete re-install for a rootkit removal]
“If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,” – Chun Feng, Engineer, Microsoft Malware Protection Center.
Why do I have to reinstall?
Rootkits are bad. They actually replace fundamental and critical files in your operating system with copies. The copies will have the same name and function, just with a little extra code included to do their dirty work. Many antivirus programs can detect them (make sure you virus definitions are kept up-to-date!) but due to the fact that the original file is now gone, you need to put back the original file. This means copying it back from the installation CD or your Windows CD/DVD. It’s not going to be as easy as running a scan and clicking “yes” to clean infected files.
Here’s some details to tell you what is going on – based on Mr Feng’s quote above:
What is “MBR” and “Recovery CD”?
MBR – the MBR is the Master Boot Record. Think of the MBR as the starting point on your hard disk. When you turn on your computer everything else comes after the MBR. The problem is that Popureb overwrites this MBR with its own code – thereby perfectly hiding itself from anything else that follows.
Recovery CD – A Recovery CD/DVD is a disk that will return your computer to factory settings. Most computers these days do not come with any included disks. Instead you must create the disks from the computer. Based on my experience I can tell you that most people never burn these disks, even though they are prompted to do so for the first few weeks after purchasing their computer (have you?). We do this automatically for our clients and if you haven’t done one DO IT NOW – although if you already have a rootkit trojan it is too late, you’ll copy the trojan with the Recovery CD. If this is the case your only option now is to obtain replacement recovery CD’s directly from the manufacturer.
How to know if you have a Rootkit
It can be difficult to know you have a Rootkit Trojan, since the whole point of putting there is to hide it from you. What you may notice though is overall slowness of your system. You may also detect slowness when accessing the Internet, due to increased traffic coming to and from your computer. You may also see popups on your desktop, or notice software failures or software not working like it used to. Most virus protection programs will search for rootkits and some have rootkit removal features built in.
If you want to did deeper and have some technical experience on the “back end” of computers and operating systems, here’s some of the preliminary evaluation steps you might take. However if you suspect you have a rootkit trojan then it’s probably best to skip right to the removal steps.
- Run “netstat -an” from a Windows command prompt and look for connections to external points that don’t match what you would expect.
- Use the Windows Task Manager Performance tab; are you using more memory or cpu power than you should be?
- Use the Windows Task Manager Networking tab: is there more traffic that you expect?
- Use the Windows Task Manager Processes tab: is there anything unusual or unrecognized there?
How to remove a Rootkit Trojan
Rootkit Trojans are especially difficult to detect, since they have full control and, even if detected by an antivirus program, can be cumbersome to remove. Often a rebuild it required just to be absolutely sure your rootkit is gone.
Here’s steps to take:
- Backup files, pictures, music, databases, everything
- Backup Outlook, Thunderbird, or whatever you are using for email. Copy the whole folder where your Outlook pst file is stored.
- Backup your browser favorites or bookmarks
- Make sure to include your Desktop as part of your backup
- Gather disks and licenses for all software installed.
- If you don’t know the licenses, try a utility like Keyfinder to retrieve the licenses you have.
- Once you have disks and licenses and are sure you have everything from your computer that you need, put in your Recovery CD and reboot.
- Once recovery is complete, reinstall all your programs, then copy back all your data and other files.
Yes, Rootkits are a pain and removing a rootkit using this process may take you 3-4 hours or more to complete, however it must be done in order to eliminate this major security breach.
Have you had to deal with and/or remove a Rootkit Trojan? Tell us your experiences.