The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick:
- It calls IoGetDeviceAttachmentBaseRef( ) to retrieve the bottom device object in the disk device stack, that is, the real physical disk device object.
- Then it hooks the DriverStartIo routine in the found device’s DRIVER_OBJECT structure (see the picture below).
- The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.
If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called “fixmbr”.
To find out how to use your system’s recovery options, refer to the following articles:
- For Windows XP: Installing and using the Recovery Console in Windows XP
- For Windows Vista: System Recovery Options in Windows Vista
- For Windows 7: System Recovery Options in Windows 7
– Chun Feng
Leave a reply