Common Malware Threats
(last updated 2010-05-06)
Torpig, also known as Mebroot, Sinowal or Anserin is a Trojan horse program that attacks Windows machines. It is designed to capture sensitive information, such as credit card data, passwords, and login locations from the victim's browsing activity. It is often delivered as an attachment to a malicious phishing email. These emails can be deceptive, and the attachments often seem innocuous, such as PDF files or Word documents. The malicious download is usually undetectable by the user and can pass through filters in antivirus and other protection programs.
Am I infected?
Torpig is smart and does a pretty good job of covering its tracks even from antivirus software. If your machine starts and stops on its own, that may indicate that malware is resetting itself. You may see that your Java or Adobe versions are actually older than the versions you have had previously.
If you suspect that your computer has Torpig, you should use run a complete antivirus scan and another scan with a trusted anti-malware product. If Torpig is found, you should follow the instructions of your anti-malware for removal, for example:
http://forums.spybot.info/showthread.php?t=25045&highlight=torpig
How do I remove Torpig?
Torpig can be particularly difficult and complex to remove. It often requires changes in the Windows Registry that may have unintended consequences. It can return even after re-imaging the machine in question. Therefore, we strongly believe that any machine infected with Torpig be re-imaged (completely overwritten) by an IT professional. Data should be backed up on an external media, the machine re-imaged and tested immediately for re-infection.
Despite the fact that the vulnerability exposed by the now-famous Conficker worm was patched over a year ago, Conficker (aka W32.Downadup) still pops up from time to time on the Hopkins network. Currently, Conficker is not a highly damaging piece of malware, but it should be removed as soon as possible.
Am I infected?
If you have been keeping current with Microsoft patching over the last year, it is unlikely that you have Conficker. If not, you should run a scan with an up-to-date version of Symantec. More info:
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
How do I remove Conficker?
Symantec has an automated removal tool:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
If that does not work, you can remove it manually using these instructions:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=3
Like with Torpig, manual removal may require some Windows Registry changes and may not be for the faint of heart.
This malware attempts to deceive users into downloading it based on a bogus warning logo. It then tries to convince you to buy another tool to remove the malware that did not exist in the first place. It may place up a blue screen of death or otherwise harm performance to your computer.
Am I infected?
If you see a warning logo that says "Antivirus 2010" on your machine. If you see it only in a browser you may only be seeing a Web version of the tool and not a local infection. You should run a scan using your anti-malware tool.
How do I remove Antivirus 2010?
You should check the documentation of your antimalware tool to ensure that it identifies and removes this particular virus. There should be a tool for automated removal. For example, with Malwarebytes, see:
http://forums.malwarebytes.org/index.php?showtopic=6703
If you cannot remove the malware automatically, you should consider reformatting your hard drive of your computer.