1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Rootkit:W32/Whistler

Rootkit:W32/Whistler

Detection Names : Rootkit.MBR.Whistler.A, Rootkit.MBR.Whistler.B
rootkit.mbr.whistler.a (boot image), Rootkit.mbr.whistler.b_(boot_image)
Category:Malware
Type:Rootkit
Platform:W32

Summary

Rootkit:W32/Whistler infects the computer system's Master Boot Record (MBR) and loads additional malicious files while the system is starting up (booting).

Disinfection

Sending A Sample to F-Secure

To confirm the presence of hidden files on the MBR may require further analysis. To obtain a sample of the suspect MBR file(s), users may use the following instructions:

Once obtained, the sample can be forwarded to our Security Labs via the Sample Analysis System (SAS):


Manual Repair of the MBR

Caution: Manual disinfection of the MBR is only recommended for advanced users.

Microsoft provides tools to replace an infected MBR with a copy of the original, clean MBR. To do so:

  • Boot into the Recovery Console.
  • Depending on the operating system in question, run the appropriate command on all infected drives:

    • On Windows XP, run: fixmbr
    • On Windows 7, run: bootrec

Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.

Additional Details

The additional files loaded by the rootkit (which may be detected as Rootkit.MBR.Whistler.A (boot image)) are stored in the raw disk sectors and are therefore not visible in the file system.

As of this writing, these malware files are detected as Gen:Variant.Unruy.4. It may be possible for other malware to use this rootkit to silently launch themselves on an infected computer.