Comments on: New Mebroot/Sinowal/MBR/Torpig variant in the wild – virtually undetected and more dangerous than ever

By: Elric

Elric — Wed, 20 Jan 2010 20:32:03 +0000

Does the drive-by infection require admin privileges to work?

By: STeven

STeven — Fri, 16 Oct 2009 17:09:10 +0000

If i get a notice from my ISP i have torpig, how can i find it on a network with over 300 pc

By: Windows reality - The Torpig botnet and LOTS of others out here | keyongtech

Thu, 07 May 2009 14:06:40 +0000

[...] computers. I find the name somewhat ironic. Mebroot. MEB root. Based on this technical analysis: http://www.trustdefender.com/blog/20…ous-than-ever/ 1) Mebroot is mainly deployed through a drive-by download when you visit

By: 98 Guy

98 Guy — Thu, 07 May 2009 12:55:04 +0000

Can someone explain if Mebroot will (or will not) run correctly under Windows 98? If Mebroot absolutely requires the presence of atapi.sys, svchost.exe or services.exe in order to function, then I can’t see how it can function on a win-98 system.

By: Richard

Richard — Mon, 27 Apr 2009 22:04:55 +0000

XP? Did you fixmbr the MBR?

I, too, got a report from my IPs abuse desk. I found all of the symptoms listed above on one of my XP machines (had an unexplained reboot, rg4sfay existed and open by services.exe).

I did the fixmbr routine and the cited signs are gone. But I just got another abuse email from my ISP. I can’t reach a human there to find out why/when this latest warning was triggered.

Approaching max paranoia and running out of ideas how to proceed.

By: Luke

Luke — Tue, 21 Apr 2009 03:15:42 +0000

And I’ve got infected with a newer version of this virus and so far no tool has been able to detect it! I know it’s there, however, as I got informed by my network administrator that something is sending requests from my machine. I’ve tried everything and all detection tools fail. Any ideas?

By: admin

admin — Mon, 20 Apr 2009 11:16:59 +0000

Hi mario, no worries. This blog is for technical information and any info that helps people is very much appreciated. So please do post this kind of info. Your info is very much appreciated. Thanks

By: mario

mario — Mon, 20 Apr 2009 06:52:04 +0000

Hi admin, sorry if I mentioned your “competitors” here, but their fix is so easy and effective that I thought could be useful to many like me that have been infected because they do not use (yet) your products. When you see all your passwords and mail stored in a hidden file, well, you are scared and desperate, and any solution, even temporary, is welcome.
Having said that, I have to thank you because 1) your article is very informative and 2) you were the first to point out that the trojan comes through acrobat reader files: just update acrobat reader and you are ok (for now).
I also mentioned your article as a valuable source to many collegues and on other security forums, and I hope this will help you forgive me.
Keep up the good work!

By: admin

admin — Mon, 20 Apr 2009 00:14:20 +0000

Hi mario, you are right. GMER has updated their detection and removal tool on April 15. Many other security vendors did the same and after they analyzed the trojan, they provide now updated protection tools… However just a word of caution: these updated tools will only work up until Mebroot changes again and then they are useless again… So far, TrustDefender has always picked up an infection based on our Forensics Engine

By: mario

mario — Sun, 19 Apr 2009 16:50:11 +0000

This is a nasty one, only Process Explorer from Microsoft shows handles pointing to rg4sfay, ydf8dk. NO TRACES in Task Manager, Msconfig, Services.msc and registry !!!!!!
BUT (good news)
Solution is very easy!!
1) disable system restore (just in case)
2) clean up c:/windows/prefetch (just in case again)
3) go to http://www2.gmer.net/mbr/ , download the .exe at bottom of page and run it 3 times as described FROM SAFE MODE of course.
4) restart and enable system restore.

now you can delete the 2 files and process explorer shows nothing suspicious.
As a bonus, after deleting prefetch my pc starts using 50% time as before!
Found the mbr solution in an Italian forum
http://www.hwupgrade.it/forum/showthread.php?t=1715546
looks like in Italy there are many similar cases.
Cheers
Mario