Rootkit:W32/Whistler infects the computer system's Master Boot Record (MBR) and loads additional malicious files while the system is starting up (booting).
Sending A Sample to F-Secure
To confirm the presence of hidden files on the MBR may require further analysis. To obtain a sample of the suspect MBR file(s), users may use the following instructions:
Once obtained, the sample can be forwarded to our Security Labs via the Sample Analysis System (SAS):
Manual Repair of the MBR
Caution: Manual disinfection of the MBR is only recommended for advanced users.
Microsoft provides tools to replace an infected MBR with a copy of the original, clean MBR. To do so:
- Boot into the Recovery Console.
- Depending on the operating system in question, run the appropriate command on all
- On Windows XP, run:fixmbr
- On Windows 7, run:bootrec
Note: For further information on use of the 'fixmbr' command, please refer to the relevant Microsoft documentation.
The additional files loaded by the rootkit (which may be detected as Rootkit.MBR.Whistler.A (boot image)) are stored in the raw disk sectors and are therefore not visible in the file system.
As of this writing, these malware files are detected as Gen:Variant.Unruy.4. It may be possible for other malware to use this rootkit to silently launch themselves on an infected computer.