Microsoft Clarifies Stance on 'Killer Trojan' Removal
Microsoft security experts are having their credentials called into question after sending out premature warnings to users urging them to protect themselves against a new form of covert malware. The Trojan was believed to be so indestructible that only a reinstallation of the entire Windows operating system would remove its presence.
Microsoft first took notice of the Trojan (called Win32/Popureb.E.) sometime last week. After weighing its potential for harm, security officials reasoned that it contained a rootkit hiding beneath an infected machine's boot sector.
Trojan Swaps Write Operation for Read Operation
At the time, MMPC (Microsoft Malware Protection Center) engineer Chun Feng noted that the Trojan was able to detect write operations aimed at the MBR (master boot record) and then swapped out the write operation with a read operation. (Source: techeye.net)
Feng believed the rootkit to be so powerful that those infected were instructed to back up their hard drive and re-install Windows to remove its presence.
Microsoft Engineer Clarifies Threat Severity
The announcement sent hundreds into a frenzy, with many taking Feng up on his reinstallation suggestion. Feng has since changed his mind concerning the severity of the threat and "clarified" Microsoft's position on the issue.
Feng now recommends that "If your system is infected with Trojan:Win32/Popureb.E. we advise fixing the Master Boot Record using the Windows Recovery Console to return the MBR to a clean state." (Source: vietnamtribune.com)
He went on to provide instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Feng also added that following these directions would enable the MBR to be scrubbed clean, and users can run antivirus software to scan their PC for additional malware for removal.
Some antivirus companies are offering removal kits for the Trojan, which Feng admits is probably a better option that a complete reformatting of the system.