Endpoint Protection

 View Only
Expand all | Collapse all

What does Symantec call Trojan:Win32/Popureb.E?

Migration User

Migration UserJun 28, 2011 03:13 PM

  • 1.  What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 08:19 AM

    Computerworld (and by extension, Slashdot) are referencing a Microsoft blog posting about Trojan:Win32/Pobureb.E, malware that infects the master boot record.  What does Symantec call this threat?  I can't find any reference to it on the Symantec site (searching or browsing the A-Z list).

     

    - Bill



  • 2.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 11:36 AM

    They may as well call it Trojan.Win32/Reload.ur.OS since that is about how well I bet Symantec will be able to handle this threat.  /haha



  • 3.  RE: What does Symantec call Trojan:Win32/Popureb.E?



  • 4.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 12:53 PM
      |   view attached

    Hi,please see the Virustotal report

    http://www.virustotal.com/file-scan/report.html?id=04a299ac84bc784e016be87dfca7025418bab3aba956e5eb6747eb19a309b1f2-1309259684

    You can also refer to attachment.

    cheers....

    Attachment(s)

    pdf
    Screenshot_0.pdf   183 KB 1 version


  • 5.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 12:54 PM

    http://www.virustotal.com/file-scan/report.html?id=515f409aa0c7235e96eab0a07621d4c5cdb3e15bbd5998fdbe8bd460aaea7548-1306271548

    Trojan:Win32/Popureb.B is also detected by Symantec as Trojan.gen



  • 6.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 02:58 PM

    Detections were modified for Trojan.Gen in the latest Rapid Release and Certified defs.

    Antivirus Protection Dates

    • Initial Rapid Release version February 19, 2010 revision 037
    • Latest Rapid Release version June 28, 2011 revision 022
    • Initial Daily Certified version February 19, 2010 revision 040
    • Latest Daily Certified version June 28, 2011 revision 020
    • Initial Weekly Certified release date February 24, 2010

    http://www.symantec.com/business/security_response/definitions/rapidrelease/index.jsp



  • 7.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 03:08 PM

    Trojan.gen is a generic detection...in cases symanec detects false poitives with name troja.gen.....

    check the known issues with DWH***.tmp detected as trojan.gen

    temporary files in xfer folder with trojan.gen...

    it's bovious this is not a definition based detection...



  • 8.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 03:13 PM
      |   view attached

      



  • 9.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 04:11 PM

    As already pointed out, trojan.gen is a generic detection.  If malware that infects the MBR is detected by SEP after the fact, I'd really like to know about it.  Is there a good method to inspect master boot records on an enterprise wide basis (e.g. automatically during a maintenance window instead of sneakernetting around with a special tool)?



  • 10.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 28, 2011 04:39 PM

    According to kochc, Symantec calls this Trojan.Fakeav or Trojan.Tidserv

    See http://www.symantec.com/connect/blogs/win32popurebe-symantec-response

    Unfortunately no links & no ability to verify.



  • 11.  RE: What does Symantec call Trojan:Win32/Popureb.E?
    Best Answer

    Posted Jun 29, 2011 08:44 AM

    http://www.symantec.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2

    As for the Trojan.Gen detection, there's a little confusion about the definition.

    When we find a new threat, part of the decision process is "is this threat unique enough to warrant a whole new name?"  Often times, it's not...a few characters tweaked here or there doesn't warrant an entirely new detection, so the detection is added to the generic signature for that threat...a generic trojan, for example, would be added to the Trojan.Gen signature, wheras if we find a trojan that's brand new, or so far modified from a basic trojan, we might call it Trojan.Whatever.  These are signature detections.

    We've detected previous versions of this threat as Trojan.Fakeav in the past, and it appears to operate similar to how Trojan.Tidserv works.

    With regards to checking the MBR, SEP does scan it, but due to the implications of removing the MBR, we only log the infection, we don't act on it (but the log does show up in the SEPM and on the client itself).  The SERT tool can scan and repair (if repariable) the MBR, and Power Eraser (inside the Support Tool) also has the ability to scan the MBR after a reboot if selected.



  • 12.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 29, 2011 08:56 AM

    Thank you for the reply-- if SEP will at least provide detection of MBR infections, I'm a happy guy. 



  • 13.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jun 29, 2011 09:52 AM

    Followers of this thread may be interested in this new "MBR Confusion" blog from Symantec Security Response:

    https://www-secure.symantec.com/connect/blogs/mbr-confusion

    Thanks and best regards,

    Mick



  • 14.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jul 08, 2011 09:50 AM

    As far as I understood, the way Popureb.E protects itself on the MBR is by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

    That means FIXMBR command or tools like SERT and Power Eraser cannot clean the MBR from Popureb.

    Does anyone ever catch this virus and cleaned MBR using a similar tool ?



  • 15.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jul 08, 2011 09:51 AM

    As far as I understood, the way Popureb.E protects itself on the MBR is by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The hooked DriverStartIo routine monitors the disk write operations: If it finds the write operation is trying to overwrite the MBR or the disk sectors containing malicious code, it simply replaces the write operation with a read operation. The operation will still succeed, however, the data will never actually be written onto the disk.

    That means FIXMBR command or tools like SERT and Power Eraser cannot clean the MBR from Popureb.



  • 16.  RE: What does Symantec call Trojan:Win32/Popureb.E?

    Posted Jul 08, 2011 10:52 AM

      I share your concern, FbacchinZF, about machines that were infected by a zero-day and evade SEP's initial detection.  Want we start a new thread on this?