Table of Contents

Torpig/Sinowal/Mebroot

This has been around for awhile now, but I'm just getting around to looking into it. This moved up on my priority list with realizing a half dozen machines were infected. Basically, Mebroot is a rootkit that resides in the Master Boot Record (MBR) of the file system. This downloads the Torpig files that enable it to steal personal information.

Detection

This is easy to see when watching network traffic on another machine. Generally you will see a lot of DNS requests when idle. If the requests are going to DNS servers that you didn't specify and are for random looking, recently registered domains, you're probably infected.

Removal

I recommend using the UBCD4Windows.

  1. Run FixMBR
  2. Delete all system restore points
  3. Scan with each AntiSpyware and AntiVirus tool
  4. Boot to safe mode with networking
  5. Update all AntiSpyware and AntiVirus tools
  6. Scan with each
  7. Boot to normal mode and monitor network traffic

<hr>

http://en.wikipedia.org/wiki/Torpig<br /> http://www.precisesecurity.com/threats/bootmebroot/<br /> http://www.cs.ucsb.edu/~seclab/projects/torpig/<br /> http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/<br /> http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lstsol&idvirus89223&sitepandaparticulares<br /> http://www.sophos.com/security/analyses/viruses-and-spyware/trojtorpiga.html<br /> http://www.f-secure.com/weblog/archives/00001393.html<br /> http://www.rsa.com/blog/blog_entry.aspx?id1378<br /> http://web17.webbpro.de/index.php?pageanalysis-of-sinowal<br /> http://web17.webbpro.de/index.php?pageadvanced-analysis-of-sinowal<br /> http://www.windowssecrets.com/2008/11/20/03-Dont-be-a-victim-of-Sinowal-the-super-Trojan

– Main.FredPettis - 23 Apr 2009