Reports that Windows Trojan Popureb requires a reinstallation of Windows are incorrect, says Microsoft
Microsoft has denied that the Popureb.E Trojan totally flattens Windows operating systems. A report yesterday implied that infected machines had to be taken down and Windows 7, Vista and XP reinstalled.
According to Microsoft, the confusion is a result of a misunderstanding of how the Trojan affects the master boot record (MBR). This is on a portion of a hard disk that stores physical details of the drive – how big the partitions are and what file format is in use. It also has the bootstrap code which is the program the computer uses to power-up and initiate the loading of the operating system.
No Reason To Reinstall
Chun Feng, an Australian researcher with the Microsoft Security Research & Response (MSRR) team, wrote a blog about how to clean this very critical region of the disk. A basic misunderstanding of what he said caused a wave of misinformation to wash over the Internet.
“There is no reason to reinstall Windows,” Jimmy Kuo, a US researcher for MSRR, told eWEEK Europe. “The problem is that readers of Chun’s blog assumed that recovering the MBR meant that you had to blow it away, including the partition table. There is a difference between the code that’s in the MBR and the partition data in there.We’re explaining to people how to use the FixMBR command and the blog has been updated.”
Kuo added that Popureb is “not a prevalent threat” which means that it is unlikely to be a widespread problem.
In Feng’s updated blog, he emphasises that the problem can be solved without a reinstallation being necessary.
To fix the MBR, Windows Recovery Console is used to load the BOOTREC.exe tool which is available from Microsoft. This is applied using the command bootrec.exe /fixmbr which only replaces the executable code without affecting the neighbouring disk drive format information.
Rebooting the PC and scanning for malware will remove the rest of the Trojan. Alternatively, After fixing the MBR, a System Restore can be used to return the PC to its pre-infected state.