Windows Rootkit Requires Reinstall?

Windows Rootkit Requires Reinstall?

In a ComputerWorld article Gregg Kaiser cites a Microsoft engineer as saying that the trojan that Microsoft calls “Popureb” digs so deeply that the only way to eradicate it is to reinstall the operating system. If you read the Microsoft blog Feng didn’t actually say that this is the only way to eradicate the trojan.

In a ComputerWorld article Gregg Kaiser cites a Microsoft engineer as saying that the trojan that Microsoft calls “Popureb” digs so deeply that the only way to eradicate it is to reinstall the operating system. If you read the Microsoft blog Feng didn’t actually say that this is the only way to eradicate the trojan.

In a ComputerWorld article Gregg Kaiser cites a Microsoft engineer as saying that the trojan that Microsoft calls “Popureb” digs so deeply that the only way to eradicate it is to reinstall the operating system.

If you read the Microsoft blog Feng didn’t actually say that this is the only way to eradicate the trojan. In fact, the advice to restore a system to its factory state is wise advice for many infections. If the MS tool fixmbr can fix the MBR and the recovery CD and eradicate the trojan, then there are most definitely other programmatic means to remove the trojan, but that is not the whole picture.

When a malicious program that can download other programs is installed it can install all kinds of other malicious programs and there is no guarantee that any AV product in the world can detect all of them. The bad guys have the resources for quality control and can test their software to ensure that no product detects their malware initially. Using anti-virus means that you find what the product knows, not that you found everything.

If maximum system security is a high priority, then a restore to a known clean state is often the only assurance of a clean machine. The one critical piece of advice that was missing from the blog and the ComputerWorld article is that it is essential that when you clean up after such an infection, regardless if you disinfect or reinstall the OS, you have to use a new login password. If you keep other passwords on your computer in an unencrypted file, then you need to change all of those as well.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Discussion