A free removal tool for the Popureb.E malware was released for public by Prevx security vendor, here is the download link.
For who does not know, Popureb.E is a trojan that targets the Master Boot Record(MBR) on Windows XP machines. Until now Windows Vista and Windows 7 seems to be immune to this kind of infection. The malware add its code to Master Boot Record being in some fashion invisible to the operating system and antivirus software which are loaded later, after the trojan code. This malware made some waves a few days ago when a Microsoft engineer Chun Feng suffering for excessive zeal recommended an extreme solution to get rid of the trojan, a Windows reinstall.
Any attempt of fixing the infected the Master Boot Record is thwarted by implementing a low level hook into the miniport driver(generally this is atapi.sys) responsible for disk read-write operations and changing any disk write request on the Master Boot Record into a read request. This is the unique method used by the trojan to prevent its deletion from the Master Boot Record where it resides, otherwise it is not hiding its code in MBR and has not any other protection for the implemented hook. The original MBR is encoded with a simple encoding procedure and saved somewhere on the hard disk. You can read more on details about this trojan here, an article written by the malware researcher Marco Giuliani.
The Popureb.E trojan removal tool is able to disable the malicious low level(kernel mode) hook on disk miniport driver to restore its functionality and also to restore the original MBR overwriting the infected one. This way the trojan is inherently deleted. The only requirement to run the Popureb.E removal tool is an Administrator account.
However, the easiness to restore the original functionality of a computer infected with Popureb.E is due to the simplicity on encoding algorithm used to encode the original MBR data(each byte of MBR is rotated by 73 characters), possible new versions of Popureb malware using a stronger encoding algorithm or a stronger protection schema can be much more difficult to be removed.
Keep safe !
Leave a Reply