Feeds

back to article MS advises drastic measures to fight hellish Trojan

Microsoft is advising users to roll-back Windows if they happen to be unfortunate enough to get hit by a particularly vicious rootkit. The Popureb Trojan sticks its tendrils so deep into the operating system that the best option is to nuke from orbit return machines to their pre-infected state and change the Master Boot Record. …

COMMENTS

This topic is closed for new posts.

Page:

Facepalm

Shome mishtake shurely?

s/book/boot/g

2
0
FAIL

Master Book Record?

Erm...

1
0
Bronze badge

Master Boot Record

Fixing the master boot record and then re-installing Windows would not necessarily erase all data on the computer, although with a fresh registry you would have to re-install all applications. If data files are also lost, which could well happen in some cases, that would be because of limitations of the recovery CD that came with the computer.

5
0
Stop

Sometimes ...

Quote from Technet

"Note: Care must be used since certain viruses overwrite the sector between the MBR and the boot sector, redirecting boot to a secondary location. If this has occurred, replacing the MBR can cause permanent loss of the partition information. When unable to boot from a drive always use a virus scanner prior to using the FixMBR command."

0
1

"Use a recovery CD to restore your system to a pre-infected state"

You're correct, but MS are clearly advocating scorched earth policy here.

All recovery CD/DVD/partitions offer a blitz and reinstall, a few offer "repair". If the infection is as bad as it sounds, then fixmbr and blitz would work, while repair certainly wouldn't.

And kudos to the Windows security model once again. Slow clap.

6
0
FAIL

Do you know why they say this?

If you are going to quote a source , you have to understand why they say this. Just throwing crap out there isn't going to help anyone.

Microsoft won't bash 3rd party developers and some 3rd party partitioning software didn't really partition the drives correctly and would store info in the MBR as a work around. GoBack a horrible backup system would also write info to the MBR.

Since you cannot tell either one of these are on the computer from a recovery console and if you overwrite the MBR you will screw up your hard drive, that is why they have that warning. If cannot boot and need the data and are scared to run the MBR then just put the hard drive as a slave in another computer and pull the data.

Just because you see something written down doesn't mean you understand what it is saying. Maybe if you aren't sure you shouldn't post.

2
1
Unhappy

Come on

It's really hard for a tech website to maintain it's credibility when it's journo's don't even know what the MBR is.

Hint: It's what'll be used to kick you out the door.

4
0
Silver badge
Boffin

LInux to the rescue

If the user's data wasn't properly backed up in such a situation I'd reach for a Linux rescue CD such as RIP (Recovery Is Possible) Linux.

Boot. Mount the NTFS partitions readonly. Connect to a network share or plug in a USB drive. Copy the user's files. Finally nuke the disk by writing /dev/zero to the whole shebang, MBR and all before doing a Windows reinstall or restoring a disk image.

However devious a root kit, it can pose absolutely no threat to a Linux-based rescue system resident in RAM, because nothing on the compromised disk ever gets executed by the rescue system.

3
1
Black Helicopters

Cough

"However devious a root kit, it can pose absolutely no threat to a Linux-based rescue system resident in RAM"

You should look at what you can store in the Flash-able ROM's of network cards these days, which have read/write access over the PCI bus to everywhere...

0
0
FAIL

Erm...

A Master Book Record? Can I get one from the library?

2
0
Anonymous Coward

Only if you can get past

the MCP.

0
0

wot no recover

replacing the mbr is not that redical surely?

0
0
Boffin

Hmmm, let me think

Who to believe on this one? Numbnuts commentard or the OS author?

Answers on a postcard to the usual address.

3
1
Joke

Ah, the Master Book Record

Clearly the most important book/record of 'em all! (Delete as appropriate for local book/vinyl preferences)

1
0
LDS
Silver badge

Master *Book* Record?

Guess spell checker got in the way...

0
0

This post has been deleted by a moderator

Holmes

Don't worry John

I'm sure the readers of the site will not point and laugh at the number of references to your Master Book Record.

After all, the we're known for our sympathetic outlook at people making mistakes

....

Oh

1
0
(Written by Reg staff)

Re: Don't worry John

Fixed now.

It's truly staggering how much lollage you lot get out of typos. It's like jingling keys in front of a baby...

20
0

This post has been deleted by a moderator

This post has been deleted by a moderator

Happy

keys, what keys

I heard keys? Where? Where?

4
0
Bronze badge

Got a backup?

If you have a back up of a clean MBR then you should be able to use that, and also restore the Windows partiition to a previous clean state. A Linux live CD with partimage provided will do it, for instance - although partimage didn't seem to be getting updated when I looked !ast. Fiddly, too.

I wonder what happens if you've got GPT. There is an MBR but it's a dummy copy, and your GPT might be untouched. You won't get anywhere with partimage, though.

0
0
Anonymous Coward

GPT

As I understand it, with GPT, the MBR isn't really a dummy, rather it points to the GPT. If you remove the MBR with a GPT partitioning scheme, it will still knacker the GPT, unless the MBR is replaced with a replacement which points to the GPT.

0
0
Bronze badge

MBR and GPT

Besides more than enough multiple partitions (which according to documentation Microsoft seems to want to exhaust anyway), the notable driver of GPT adoption is MBR failing to describe hard drives above 2.19 terabytes (2 TiB minus 1 sector) in size, although it may be possible to cheat.

If I correctly understand the situation after reading Wikipedia's GPT article, the drive boot sector or MBR that exists on a GPT disk mainly may contain two things: some of the system boot executable code (probably requiring EFI/UEFI "BIOS" to work), and an partition table that says, "All of this disk is used by one partition type that your partition tool doesn't know about. Leave it alone." The size of that partition will be ~2 TiB or the actual disk size, whichever is less. GPT or dual tools will (maybe) recognise this special MBR and (probably*) ignore it, going straight to the GPT starting on the next sector. MBR tools will probably balk in a way that reminds you that you should use a GPT tool instead. So in that way, the MBR points to the GPT, but only by being a special recognisable non-valid MBR.

I've just viewed http://wiki.onmac.net/index.php/Triple_Boot_via_BootCamp#Disk_Partitions_and_their_Limitations

which appears to describe successfully fiddling with this arrangement to get both a GPT and an MBR that accurately represent working hard disk partitions, but presumably below the 2 TiB limit.

As for Linux-based backup of a GPT Windows installation, here may be where we favour ntfsclone or even dd over partimage, at least, and also separately back up the GPT. partimage scores for me a bit by having compressing and file-splitting your backup built-in instead of apparently requiring a pipeline of statements, as well as grabbing the MBR with no effort (although with so-slow bzip2 compression this is buggy). I reckon that a backup compressed file segment size of 315 MB benefits by packing nicely, if necessary, onto CDs as well as DVDs, which probably makes me a genius in 2005, maybe not now.

I haven't seen it, but, as I say, I gather that Windows sprinkles a baffling selection of strange, tiny, vital partitions onto your GPT disk. As for dd, it'll back up the empty space on your disk, so a Windows procedure or program that fills that empty space with nicely compressible zeroes or something similar before a backup attempt is a good idea.

* Since the false MBR is part of the GPT specification, a smart GPT tool may offer to fix the MBR contents if they're not present and correct.

0
0
Stop

Make a Recovery Disc

Having just had to show a neighbour how to make a Recovery CD I thought I would just mention that the option is in:

<Control Panel><Backup and Restore>.

Load a blank CD and let it get on with it. Label it (the program tells you what to write). Add the date (the program does NOT tell you that).

Keep it safe. Make a new one every few months or if you change partition sizes.

1
0
Gold badge
Thumb Up

@banjomike

"Keep it safe. Make a new one every few months or if you change partition sizes."

I'd say whenever you install a new application *outside* of backing up your data folders regularly of course.

0
0
FAIL

Next, John Leyden

exclusively covers the Olympic Torch virus.

0
0
Unhappy

Well

If it's that bad, I think it becomes MS to provide a bootable ISO/USB that will fix it in a one-er, without the need to reinstall everything.

Ker-ching for those fixing PCs as homers in the meantime!

0
1

Huh.

It's not directly related, but I seem to remember that about fifteen years back BIOSes had an option to prevent a disk's MBR from being modified. It was a virus fighting measure or somesuch.

I may be wrong -- that dates back to when I was first learning to use computers. But I'm curious if anyone else here remembers what it was about and why manufacturers stopped including the option.

2
0
Gold badge
Thumb Up

Re: Huh.

Actually most BIOSes still do this, the one on my MSI mainboard does and it is set. Does what it says on the tin, when enabled anything trying to write to the primary disk's boot sector gets told to sod off by the hardware.

2
0
Silver badge
Linux

Obligatory "Linux is better" post

As per title...

4
1
Bronze badge
Linux

not necessarily

If I understand this correctly, there's no reason to assume linux is any more secure here.

Let's start with there being an infected MBR and this gets run before the operating system. In the old days of boot sector/MBR viruses, the virus would allocate some memory for itself using the BIOS, then patch in some entries into the interrupt table, say int 13h, which does low-level disk I/O. The classic sneaky viruses would intercept calls to access the disk and if it was already infected it would return a "cleaned" version so that virus scanners couldn't detect it (hence the need to boot off clean floppies if you wanted to be sure the scanner was working). If the disk (or file) wasn't infected, the virus would usually take that opportunity to do so at the time it's being accessed. The DIR-II virus worked quite like that.

Fast forward to more modern OSs and some things have changed, but not everything. In general, once linux has booted up, it doesn't use the BIOS for anything any more, so even if an MBR virus did manage to install itself before the OS, it would be stranded since int 13H would never get called and the virus would never execute. Apparently (from a quick search) windows still does use the BIOS for disk I/O, so maybe you'd chalk that up as a "linux is better" point. Actually, it's no reason to celebrate just yet... because Linux does use the BIOS at one key stage--when it's booting up, ie loading the kernel.

So actually, if you wrote an MBR virus that was aware of modern operating systems, you could actually hook into the BIOS entries for disk access and when Linux is booting the kernel you return an infected version on the fly. So in theory at least, neither OS is better on this score.

0
0
Silver badge

But you miss something

"So actually, if you wrote an MBR virus that was aware of modern operating systems, you could actually hook into the BIOS entries for disk access and when Linux is booting the kernel you return an infected version on the fly."

That would require the virus load up a whole kernel and make sure that works with the modules in your rootfs. Theoretically possible, but hugely challenging.

The cop out clause is that if the virus loads a complete kernel then you can hardly say it is "running Linux".

1
0
FAIL

FOTW

WTF

0
0
WTF?

...recovery

Since when is using the recovery "restoring to a pre-infected state" mean reinstalling? Using the repair function from the recovery disc fixes it without wiping all your data. I've done it half a dozen times on my personal machines, and I've never lost anything more than a couple days worth of program installs.

0
2
Silver badge
Facepalm

"users shall reinstall Windows"

Now, where is the install DVD .... oh wait ...

WAY TO GO MICROSOFT.

4
2
Paris Hilton

If you don't have your install DVD that is yoru fault.

Microsoft, makes the operating system. The company who built your computer has chosen not to include a install DVD. This has nothing to do with Microsoft. If you are going to bitch and I think you should then direct it to the right party.

Paris - because she always knows what party to go to be a bitch.

6
2

Not sure what Trading Standards thinks...

"Microsoft makes the operating system. The company who built your computer has chosen not to include a install DVD. "

Except, the buyer is not told that they are getting a functionality-limited copy of Windows with their new computer. Everything on the computer suggests thay are being supplied with the full product. If that isn't misrepresentation, then I dunno what is.

Maybe there should be a requirement for such versions to include the legend "OEM" on the splash screen, along with the wording, "One-time preinstall" or suchlike. Then, at least the nontech buyer would not be misled into thinking they have a full, reinstallable copy.

IMHO it is also steering very close to misrepresentation to describe an install as "Microsoft Windows" when it has a million items of trialware embedded into the OEM image, and no way is provided of actually installing Windows alone, minus junk.

Parallel example, can I mix Grouse, water and lemonade with Talisker, and sell that as Talisker (with bundled add-ons) -and also fail to provide a stopper for the bottle? I think that would soon get me in trouble, would it not?

Fundamental question; at what extent of adulteration does a brandname cease to legitimately apply to a product?

2
2
Bronze badge

IS M$ blameless in this?

I'm not convinced M$ doesn't have a hand in this. Clearly it's against Microsoft's interests to have alot of Windows install CDs floating around. That might give people the idea that they could *gasp* buy a computer without an OS and install from Windows CD they already have. (Perfectly legal if the last computer it was used on has been retired.) And considering they pull enough weight with hardware manufactures to dictate details as trivial as having Windows Logo slightly inset on the keyboard, I think it's a pretty safe bet that they have a say in exactly how Windows is distributed with a new computer.

1
1
Silver badge
Pint

"nothing to do with Microsoft"

It's actually unfortunate I can't even make fun with that.

1
0
Silver badge
Headmaster

Perfectly Legal?

Well, yes, maybe, or maybe not.

It is certainly written in the Windows OEM eula that you are NOT permitted to reinstall the preinstalled copy windows on any other hardware. It is expressly forbidden.

Whether that is enforceable if anyone were to challenge it in court is another matter.

I don't believe this has ever happened so at this point the best we can say it is a legal grey area.

0
0
Silver badge

@Old Handle

"(Perfectly legal if the last computer it was used on has been retired.)"

This really depends on the type of Windows licence provided with the old computer. If it's a full retail version, you are completely correct. If it's an OEM version, then the licence restricts you to the system that it was purchased on, and some OEM licence keys cannot be used for hardware from a different manufacturer (the installation process can check the BIOS identification string to check that the machine was made by the manufacturer who bought the OEM license).

MS will sometimes grant an activation string if you have to replace the motherboard as a result of a system failure, but I've found that recovery CDs in this scenario do not always work with different motherboards, at least for systems from large suppliers who use custom BIOSes. Simple answer is, if you can get a copy of a retail disk, guard it like it is gold.

I recently found this out when trying to license XP for a VirtualBox on my laptop, which runs Ubuntu (VirtualBox loads a specific BIOS in the VM which is completely unrelated to the actual system BIOS). I could not get it to accept the IBM OEM WinXP Pro key printed on the COA on the bottom of the machine until I cloned the BIOS identification strings in VirtualBox.

Of course, to a system integrator, providing a full retail licence will cost either them or their customer a lot more money than the heavily discounted OEM licence that Microsoft will sell them. This would put the supplier at a significant competitive disadvantage (I believe in the UK it is in the order of £50 per system) to their competitors who just use OEM licences, and as a side effect, ties them almost irrevocably to Microsoft, who will threaten to withdraw the OEM licence if they do anything that Microsoft don't like (like pre-installing Netscape Navigator or Lotus Notes/Symphony [old Symphony, not current], or shippping systems without an OS, or even with Linux pre-installed).

And of course, this also means that MS have a continual revenue stream as people replace their PC, and MS counts another Windows sale, even if it is an OEM one.

1
0

"I think that would soon get me in trouble, would it not?"

Probably not. The fine folks at trading standards will just sit on their thumbs. Which is easy for them because they have 5 on each hand.

0
0
Silver badge

If they don't include the DVD with the PC,

they [b]do[/b] include an ISO, along with instructions to make one from the ISO after you finish the initial registration. Still your own FAIL for not having one.

0
0
WTF?

You don't loose you data.

WTF!,

Back up your data and then reinstall after running the fixmbr.

If you cannot boot into Windows and your are infected then boot off the Windows CD into the recovery console then run the fixmbr command. Then do a parallel install of Windows to another directory and pull your data off.

The person who wrote this article and most of the comments are plain wrong. You never have to loose your data. It is always better to make a backup, but if there isn't one then you still have options.

0
1
Coat

You lose your sanity instead

Or at least the part of the brain that makes it possible to distinguish between two very similar words with the only difference being the absence of a double 'o'.

Sorry, I'll show myself out.

5
0
Anonymous Coward

Ubunty on CD

Last time I needed to "recover" a windows installation that would no longer start, I used one of the Ubuntu live CDs to start the machine connect to a network and transfer all data off the hard disk before wiping the system.

0
0
a53
Pint

Er

Now, for all those who recently were comparing Windows to Apple, which is the equivalent attack for us OSX users to have to worry about? Oh that's right, there isn't one!

2
5
FAIL

@a53

Yet....

You seem to have missed that word off the end of your statement. Oh, I am forgetting, OSX is invulnerable isn't it.

2
0
FAIL

And yet...

It has been over 10 years since OS X was launched and we are YET to see a real, self replicating in-the-wild (not theoretical, proof of concept in-the-lab) virus.

Who is the failure again?

0
0

Page:

This topic is closed for new posts.