Microsoft (NASDAQ: MSFT) is warning Windows users of new malware that embeds itself into the Master Boot Record. Called Win32/Popureb.E, it makes use of an unusual rootkit technique to thwart standard recovery attempts. MBR infections were common in the past, and entail the hiding of malware in the first sector of the hard disk drive in order to load ahead of the operating system. Executing a malware before the OS puts it ahead of antivirus software, which makes it easier to thwart attempts at detection.

Because the content of the MBR is fairly well known, it is normally a relatively simple affair to eliminate the malware by scrubbing the MBR back to its original state. But Win32/Popureb.E is different in that it introduces a driver component that subverts attempts to write to the MBR with a harmless "read" command. As reported by Computerworld, "although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed."

As such, antimalware software may encounter difficulty removing Popureb.E via standard system commands. In a post on the Microsoft Malware Protection Center blog, Chun Feng advises that users fix the MBR via the "fixmbr" command within the System Recovery Console. This should be followed by a system restoration back to a clean state to ensure that the malware is completely removed.

For more:
- check out this article at Computerworld
- check out this article at Microsoft Malware Protection Center

Related Articles:
Microsoft readying big Patch Tuesday next week
Microsoft winning the war against AutoRun malware
Mobile malware highlights continuing threat of Trojans