Skip Links

Network World

Julie Bort

New super nasty rootkit infects XP machines

By Microsoft Subnet on Wed, 01/09/08 - 4:25pm.
Newsletter Signup

Symantec has found a new rootkit that hides from Windows XP on the hard drive's boot sector. Nasty stuff. A traditional rootkit installs as a driver while this new rootkit installs so that it controls the master boot record (MBR) before the operating system loads, said Symantec's security researcher Oliver Friedrichs, in a Computerworld story. This allows it to hide especially well - "unprecedented" is the term that Friedrich's uses to describe this threat. The rootkit is fine-tuned to work only on Windows XP systems. Vista users may remain protected because they should be explicitly asked to approve the installation of this MBR rootkit when a User Account Control warning pops up. This is because the rootkit requires administrative-level approval to install to the hard drive's master boot record.

The Computerworld story says:

"According to other researchers, including those with the SANS Institute's Internet Storm Center, Prevx Ltd. and a Polish analyst who uses the alias 'gmer,' the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection as well as to reinstall the identity thief if a security scanner somehow sniffs it out."

If the rootkit does find its way onto a system, you may be looking at a PC that cannot be repaired but has to be wiped clean. Symantec claims that its antivirus software fights the rootkit by identifying it as a Trojan named Mebroot when the rootkit attempts to install itself. Researchers also suggest checking to see if your PC's BIOS includes a MBR write-protection feature. If so, they advocate activating it.

Go to Microsoft Subnet for more news, blogs, opinion

More Microsoft Subnet blog posts:
Microsoft's CES news: all about IPTV
Enterprise deployment guides for Vista SP1
Bill Gates last full day video
Video: One year, three minutes, many laughs
Bill Gates video interview,looking back and forward


Win free Microsoft training from New Horizons

All Micronet blog posts
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Welcome, visitor. Register Log in
About Microsoft Subnet Blog

The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, and is written by Online Community editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.

(OS community)
RSS feed (Microsoft RSS feed)

Blog Roll
Microsoft Subnet Home Page
http://www.networkworld.com/subnets/microsoft/
All Microsoft Subnet bloggers
http://www.networkworld.com/community/blogs/microsoft/feed
ActiveWin
http://www.activewin.com
Blake Handler The Road to Know Where
http://bhandler.spaces.live.com/
Dmitry's PowerBlog
http://dmitrysotnikov.wordpress.com/
Doug Brown,DABCC
http://www.dabcc.com
Ed Bott's Windows Expertise
http://www.edbott.com/weblog/
Joseph Tartakoff Microsoft Blog
http://blog.seattlepi.nwsource.com/microsoft/
Long Zheng istartedsomething
http://www.istartedsomething.com/
Mini-Microsoft
http://minimsft.blogspot.com/
Paul Thurrott's Supersite for Windows
http://www.winsupersite.com
Robert McLaws WindowsNow
http://www.windows-now.com
Scobleizer
http://scobleizer.com/
Techmeme
http://www.techmeme.com/
Todd Bishop's Microsoft Blog
http://www.techflash.com/Microsoft