Threat Description

Rootkit: ?W32/Whistler


Category: Malware
Type: Rootkit
Platform: W32
Aliases: Rootkit:?W32/Whistler, Rootkit.MBR.Whistler.A, Rootkit.MBR.Whistler.B, rootkit.mbr.whistler.a (boot image), Rootkit.mbr.whistler.b_(boot_image)


Rootkit:W32/Whistler infects the computer system's Master Boot Record (MBR) and loads additional malicious files while the system is starting up (booting).


Sending A Sample to F-Secure

To confirm the presence of hidden files on the MBR may require further analysis. To obtain a sample of the suspect MBR file(s), users may use the following instructions:

Once obtained, the sample can be forwarded to our Security Labs via the Sample Analysis System (SAS):

Manual Repair of the MBR

Caution: Manual disinfection of the MBR is only recommended for advanced users.

Microsoft provides tools to replace an infected MBR with a copy of the original, clean MBR. To do so:

  • Boot into the Recovery Console.
  • Depending on the operating system in question, run the appropriate command on all infected drives:
    • On Windows XP, run:fixmbr
    • On Windows 7, run:bootrec

Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.

Technical Details

The additional files loaded by the rootkit (which may be detected as Rootkit.MBR.Whistler.A (boot image)) are stored in the raw disk sectors and are therefore not visible in the file system.

As of this writing, these malware files are detected as Gen:Variant.Unruy.4. It may be possible for other malware to use this rootkit to silently launch themselves on an infected computer.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

F-Secure Community

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More