Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Rootkit:W32/Whistler


Aliases:


Rootkit:W32/Whistler
Rootkit.MBR.Whistler.A
Rootkit.MBR.Whistler.B
rootkit.mbr.whistler.a (boot image)
Rootkit.mbr.whistler.b_(boot_image)

Malware
Rootkit
W32

Summary

Rootkit:W32/Whistler infects the computer system's Master Boot Record (MBR) and loads additional malicious files while the system is starting up (booting).



Disinfection & Removal


Sending A Sample to F-Secure

To confirm the presence of hidden files on the MBR may require further analysis. To obtain a sample of the suspect MBR file(s), users may use the following instructions:

Once obtained, the sample can be forwarded to our Security Labs via the Sample Analysis System (SAS):


Manual Repair of the MBR

Caution: Manual disinfection of the MBR is only recommended for advanced users.

Microsoft provides tools to replace an infected MBR with a copy of the original, clean MBR. To do so:

  • Boot into the Recovery Console.
  • Depending on the operating system in question, run the appropriate command on all infected drives:
    • On Windows XP, run:fixmbr
    • On Windows 7, run:bootrec

Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.



Technical Details

The additional files loaded by the rootkit (which may be detected as Rootkit.MBR.Whistler.A (boot image)) are stored in the raw disk sectors and are therefore not visible in the file system.

As of this writing, these malware files are detected as Gen:Variant.Unruy.4. It may be possible for other malware to use this rootkit to silently launch themselves on an infected computer.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

F-Secure Community




Give advice. Get advice. Share the knowledge on our free discussion forum.