Sending A Sample to F-Secure
To confirm the presence of hidden files on the MBR may require further analysis. To obtain a sample of the suspect MBR file(s), users may use the following instructions:
Once obtained, the sample can be forwarded to our Security Labs via the Sample Analysis System (SAS):
Manual Repair of the MBR
Caution: Manual disinfection of the MBR is only recommended for advanced users.
Microsoft provides tools to replace an infected MBR with a copy of the original, clean MBR. To do so:
Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.
The additional files loaded by the rootkit (which may be detected as Rootkit.MBR.Whistler.A (boot image)) are stored in the raw disk sectors and are therefore not visible in the file system.
As of this writing, these malware files are detected as Gen:Variant.Unruy.4. It may be possible for other malware to use this rootkit to silently launch themselves on an infected computer.