The new variant of Bootkit.Trup is making rounds, which is updated to protect the infected MBR.
The encryption used in Bootkit.Trup.B is very similar to its old variant “Bootkit.Trup.A” which is simple rotate right (ROR) operation.
It gets Drive geometry of the infected disk and then calculates position near end of the partition to store original MBR and other components. These components are written into unallocated part of the partition, in case disk becomes full there is chance of it getting overwritten with other data.
The original MBR and driver component are stored in encrypted form using the same encryption.
Driver component hooks ATAPI’s DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products.
MBR protection mechanism was previously seen in TDSS.TDL4 which was sitting at the bottom of the storage stack to monitor read and write operations to first sector and its encrypted components in unpartitioned disk space.
This malware is targeting popular browsers to inject its code and has AdClicking functionality for monetary gains. It maintains information of clicked Ads in INI file.
Other Security Vendors detect the infected MBR as Trojan:DOS/Popureb.B and the bootkit malware as Trojan:Win32/Popureb.E.
Some published articles about this bootkit suggest to reinstall Windows to remove this malware are misleading.
Quick Heal users could download BootKitRemover tool to detect and repair this bootkit. It is required to restart the system to complete the repair process.
Thanks to Jithin Nair for inputs to this blog entry.