FYI, In response to the message below (far below) and to hopefully help someone else out that may run into this beast. I have removed large parts of the original message below to protect the innocent, but the information that pertains to my network is all there :) Torpig virus: After talking to ICN and REN-ISAC, I thought I should pass this along. This virus starts as MebRoot. It infected my machine (yes, I was the one) through a supposedly clean PDF. (I was researching a scanner, really!) My AV scanner picked it up, cleaned the file, and I thought all was well. Turns out I was wrong. shortly following that, my machine rebooted for no apparent reason. No AV messages, and yes, my AV engine was running. The reboot IS a symptom, BTW. After the reboot, it picked up Torpig. I could not get my email to open, and IE was hanging up on me, but other than that, no errors. I did not think too much of it since I managed to mangle IE a few weeks before this and never quite got it working the way I wanted. Chrome and Firefox worked as well as ever. I ran MalwareBytes, it found 1 file in the windows /temp folder and cleaned it. Still could not get email, IE was OK now, but noticed now I could not run a disk cleanup. No errors, just would not finish... odd, I will skip about 3 hours of screwing around here... I got irritated, reformatted my machine and started over. Got the email from Scott today and thought it was odd circumstance. So everyone is aware, most AV programs will miss it, or not get it completely. MebRoot does infect the MBR, so even though you think you might get it clean, if you did not run FIXMBR from the recovery console, you probably are not clean. Even then it is a good idea to run mbr.exe from gmer.net. It runs through port 80, making it hard to pick up if. Snort has a new signature that will detect it, 2008660. If your content filter uses Snort, you should be able to add it. There are some reports of false positives, but what can we do. This will work unitl they change it again. The other way is through NAT transaction (or translation) logging. Most firewalls have this capability. Then we just wait for the email and track it in the logs at that point (they give you the port number, see below). I will be turning this on, just in case it was another machine on my network. (wish I had it on yesterday) This is a good one, reminds me of the old boot sector types... Hopefully this will save someone else a headache in the future... Jim Kerns, Technology Director Spencer Community Schools 23 East 7th St P.O. Box 200 Spencer, Iowa 51301 jke...@spencer.k12.ia.us 712.262.0339 FAX 712.262.1116 >>> "Scott Fosseen [Prairie Lakes AEA]" <sfoss...@aea8.k12.ia.us> 2/3/2010 >>> 11:56 AM >>>
Here is a little more info on Torpig http://en.wikipedia.org/wiki/Torpig -------------------------------------------------- From: "ICN Service Desk [ICN]" <icnserviced...@iowa.gov> Sent: Wednesday, February 03, 2010 10:48 AM To: "Scott Fosseen" <sfoss...@aea8.k12.ia.us> Subject: FW: [REN-ISAC] ** Notification - bots ** - SR 235787 - IP 205.221.206.1 > Scott, > > Please investigate the following report of bots from an IP on your > network, 205.221.206.1, and respond to the ICN NOC when you believe you > have them removed. > > Thanks, > > -----Original Message----- > Sent: Wednesday, February 03, 2010 3:18 AM > To: ICN Data Operations Group > Subject: [REN-ISAC] ** Notification - bots ** - KIRKWOOD, AEA 3, DOWLING, > NE POLK, AEA 13, AEA 1, AEA 1, AEA 11, CITY OF DSM, GLENWOOD, AEA 11, AEA > 5 > > > Greetings, > > The host(s) listed at the bottom of this message have been identified as > likely bot infected. The specific type of bot infection may or may not be > known. > > If a source port is identified below, this is the source port used by the > infected machine to contact a miscreant server. > > Please examine this machine for signs of break-in. Should you feel you've > received this report in error, please let us know. > > > All times are -0000 (UTC) > > IP Address Timestamp > ---------------------------------------- > 205.221.206.1 2010-02-02.19:29:56-0000 SrcPort:TCP/15650 > MalwareType:Torpig (AEA 3) > In order for the REN-ISAC to learn how we can best aid the > education community with network security matters we'd greatly > appreciate hearing back from you regarding action on this incident > and how, if at all, this information proved useful. > > Research and Education Networking ISAC > http://www.ren-isac.net > 24x7 Watch Desk: +1(317)278-6630, ren-i...@ren-isac.net > > --- > [This E-mail scanned for viruses by Declude Virus on the server > aea8.k12.ia.us] > >