This has been around for awhile now, but I'm just getting around to looking into it. This moved up on my priority list with realizing a half dozen machines were infected. Basically, Mebroot is a rootkit that resides in the Master Boot Record (MBR) of the file system. This downloads the Torpig files that enable it to steal personal information.
This is easy to see when watching network traffic on another machine. Generally you will see a lot of DNS requests when idle. If the requests are going to DNS servers that you didn't specify and are for random looking, recently registered domains, you're probably infected.
I recommend using the UBCD4Windows.
<hr>
http://en.wikipedia.org/wiki/Torpig<br />
http://www.precisesecurity.com/threats/bootmebroot/<br />
http://www.cs.ucsb.edu/~seclab/projects/torpig/<br />
http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/<br />
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lstsol&idvirus
89223&sitepandaparticulares<br />
http://www.sophos.com/security/analyses/viruses-and-spyware/trojtorpiga.html<br />
http://www.f-secure.com/weblog/archives/00001393.html<br />
http://www.rsa.com/blog/blog_entry.aspx?id
1378<br />
http://web17.webbpro.de/index.php?pageanalysis-of-sinowal<br />
http://web17.webbpro.de/index.php?page
advanced-analysis-of-sinowal<br />
http://www.windowssecrets.com/2008/11/20/03-Dont-be-a-victim-of-Sinowal-the-super-Trojan
– Main.FredPettis - 23 Apr 2009