====== Torpig/Sinowal/Mebroot ======
This has been around for awhile now, but I'm just getting around to looking into it.  This moved up on my priority list with realizing a half dozen machines were infected. Basically, Mebroot is a rootkit that resides in the Master Boot Record (MBR) of the file system. This downloads the Torpig files that enable it to steal personal information.

===== Detection =====
This is easy to see when watching network traffic on another machine.  Generally you will see a lot of DNS requests when idle.  If the requests are going to DNS servers that you didn't specify and are for random looking, recently registered domains, you're probably infected.

===== Removal =====
I recommend using the UBCD4Windows.
  - Run FixMBR
  - Delete all system restore points
  - Scan with each AntiSpyware and AntiVirus tool
  - Boot to safe mode with networking
  - Update all AntiSpyware and AntiVirus tools
  - Scan with each
  - Boot to normal mode and monitor network traffic

<hr>

http://en.wikipedia.org/wiki/Torpig<br />
http://www.precisesecurity.com/threats/bootmebroot/<br />
http://www.cs.ucsb.edu/~seclab/projects/torpig/<br />
http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/<br />
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst''sol&idvirus''89223&sitepanda''particulares<br />
http://www.sophos.com/security/analyses/viruses-and-spyware/trojtorpiga.html<br />
http://www.f-secure.com/weblog/archives/00001393.html<br />
http://www.rsa.com/blog/blog_entry.aspx?id''1378<br />
http://web17.webbpro.de/index.php?page''analysis-of-sinowal<br />
http://web17.webbpro.de/index.php?page''advanced-analysis-of-sinowal<br />
http://www.windowssecrets.com/2008/11/20/03-Dont-be-a-victim-of-Sinowal-the-super-Trojan



-- Main.FredPettis - 23 Apr 2009