Bootkits are kernel-mode rootkit variants that hide in the computer’s master boot record (MBR) and are notoriously difficult to spot and, sometimes, to eradicate.
Microsoft has warned last week about a new variant of the “Popureb” Trojan that manages to prevent users from deleting the malicious MBR by replacing the disk write operation with a read operation.
The user believes the operation was a success, but the malicious code is still there.
“If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR),” advised Microsoft’s Chun Feng. “To fix the MBR, we advise that you use the System Recovery Console, which supports a command called ‘fixmbr'”.