Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

What does Symantec call Trojan:Win32/Popureb.E?

Created: 28 Jun 2011 • Updated: 06 Jul 2011 | 15 comments
This issue has been solved. See solution.

Computerworld (and by extension, Slashdot) are referencing a Microsoft blog posting about Trojan:Win32/Pobureb.E, malware that infects the master boot record.  What does Symantec call this threat?  I can't find any reference to it on the Symantec site (searching or browsing the A-Z list).

 

- Bill

Comments 15 CommentsJump to latest comment

freef0rm's picture

They may as well call it Trojan.Win32/Reload.ur.OS since that is about how well I bet Symantec will be able to handle this threat.  /haha

Prahveer's picture

Hi,please see the Virustotal report

http://www.virustotal.com/file-scan/report.html?id...

You can also refer to attachment.

cheers....

AttachmentSize
Screenshot.pdf 183.35 KB

Prahveer Kumar
BSc(Hons) Mathematics - year 2 student
University Of Technology,Mauritius

 

Prahveer's picture

http://www.virustotal.com/file-scan/report.html?id...

Trojan:Win32/Popureb.B is also detected by Symantec as Trojan.gen

Prahveer Kumar
BSc(Hons) Mathematics - year 2 student
University Of Technology,Mauritius

 

Thomas K's picture

Detections were modified for Trojan.Gen in the latest Rapid Release and Certified defs.

Antivirus Protection Dates

  • Initial Rapid Release version February 19, 2010 revision 037
  • Latest Rapid Release version June 28, 2011 revision 022
  • Initial Daily Certified version February 19, 2010 revision 040
  • Latest Daily Certified version June 28, 2011 revision 020
  • Initial Weekly Certified release date February 24, 2010

http://www.symantec.com/business/security_response...

Ooyala - Check us out!

theexplorer's picture

Trojan.gen is a generic detection...in cases symanec detects false poitives with name troja.gen.....

check the known issues with DWH***.tmp detected as trojan.gen

temporary files in xfer folder with trojan.gen...

it's bovious this is not a definition based detection...

Good Luck!

Bill_K's picture

As already pointed out, trojan.gen is a generic detection.  If malware that infects the MBR is detected by SEP after the fact, I'd really like to know about it.  Is there a good method to inspect master boot records on an enterprise wide basis (e.g. automatically during a maintenance window instead of sneakernetting around with a special tool)?

Ian_C.'s picture

According to kochc, Symantec calls this Trojan.Fakeav or Trojan.Tidserv

See http://www.symantec.com/connect/blogs/win32popurebe-symantec-response

Unfortunately no links & no ability to verify.

Please mark the post that best solves your problem as the answer to this thread.
chris_delay's picture

http://www.symantec.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2

As for the Trojan.Gen detection, there's a little confusion about the definition.

When we find a new threat, part of the decision process is "is this threat unique enough to warrant a whole new name?"  Often times, it's not...a few characters tweaked here or there doesn't warrant an entirely new detection, so the detection is added to the generic signature for that threat...a generic trojan, for example, would be added to the Trojan.Gen signature, wheras if we find a trojan that's brand new, or so far modified from a basic trojan, we might call it Trojan.Whatever.  These are signature detections.

We've detected previous versions of this threat as Trojan.Fakeav in the past, and it appears to operate similar to how Trojan.Tidserv works.

With regards to checking the MBR, SEP does scan it, but due to the implications of removing the MBR, we only log the infection, we don't act on it (but the log does show up in the SEPM and on the client itself).  The SERT tool can scan and repair (if repariable) the MBR, and Power Eraser (inside the Support Tool) also has the ability to scan the MBR after a reboot if selected.

SOLUTION
Bill_K's picture

Thank you for the reply-- if SEP will at least provide detection of MBR infections, I'm a happy guy. 

FbacchinZF's picture

As far as I understood, the way Popureb.E protects itself on the MBR is by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

That means FIXMBR command or tools like SERT and Power Eraser cannot clean the MBR from Popureb.

Mick2009's picture

Followers of this thread may be interested in this new "MBR Confusion" blog from Symantec Security Response:

https://www-secure.symantec.com/connect/blogs/mbr-confusion

Thanks and best regards,

Mick

With thanks and best regards,

Mick

FbacchinZF's picture

As far as I understood, the way Popureb.E protects itself on the MBR is by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

That means FIXMBR command or tools like SERT and Power Eraser cannot clean the MBR from Popureb.

Does anyone ever catch this virus and cleaned MBR using a similar tool ?

Bill_K's picture

  I share your concern, FbacchinZF, about machines that were infected by a zero-day and evade SEP's initial detection.  Want we start a new thread on this?