Re: Windows only though
Replying to my reply, that seems to be true for the Windows 7 autochk.exe method where the file is overwritten by the BIOS.
The Windows 8 and 10 wpbbin.exe method can't be disabled and gets past BitLocker but as it's Windows 8/10 itself which gets the file from the BIOS and runs it. So it seems if you must use Windows 8/10 there's nothing you can do to stop it.
The article seems to say the autochk.exe method and the wpbbin.exe method are part of one rootkit, but the autochk.exe method would be used by the BIOS if Windows 7 is detected and the wpbbin.exe method would be used by Windows 8/10 it checks the BIOS to see if this file is stored in it and if so writes it to the filesystem itself and runs it.
Biting the hand that feeds IT
