Avast WEBforum

Other => Viruses and worms => Topic started by: old_nerd on February 27, 2015, 02:02:25 PM

Title: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server
Post by: old_nerd on February 27, 2015, 02:02:25 PM
(The IP address) was last detected at 2015-02-22 03:00 GMT (+/- 30 minutes), approximately 4 days, 22 hours, 30 minutes ago.
This IP address is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.
If you are running a newer Windows operating system, Torpig has been likely dropped by a second Trojan such as Andromeda/Gamarue or similar malware droppers.

With Mebroot or any other rootkit that installs itself into the MBR, you will either have to use a "MBR cleaner" or reformat the drive completely - even if you manage to remove Torpig, the MBR infection will cause it to be reinfected again.
The best way to find the machine responsible for this listing is to look for connections to the Torpig C&C sinkhole. This detection was made through a connection to "108.61.18.43" on port "80" TCP. This detection corresponds to a connection at 2015-02-22 03:14:06 (GMT - this timestamp is believed accurate to within one second).
You can try Kaspersky's TDSSKiller Antirootkit Utility to get this infection detected/removed. However, we strongly recommend you to do completely re-install your operation system to get this infection removed permanently.
These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
You will need to find and eradicate the infection before delisting the IP address.

Hoping for a little help.

Logs attached
Title: Re: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server
Post by: essexboy on February 27, 2015, 02:26:19 PM
I can see no sign there, who told you, you were infected ?
Title: Re: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server
Post by: Pondus on February 27, 2015, 02:27:56 PM
your IP is listed by Spamhaus here  http://whatismyipaddress.com/blacklist-check

on 6 blacklists here  http://multirbl.valli.org/lookup/101.170.255.238.html


Title: Re: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server
Post by: polonus on February 27, 2015, 03:21:12 PM
Confirming the IP blacklisting: https://www.countryipblocks.net/view_location_details.php?ip=101.170.255.238
and http://www.projecthoneypot.org/ip_101.170.255.235
Not given here: http://www.ipvoid.com/scan/101.170.255.235

pol
Title: Re: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server
Post by: old_nerd on March 01, 2015, 12:01:32 PM
Hey thanks for the responses.  :)

I was first alerted to a problem when I received a notice from 'administrator' that two emails I sent were not delivered. After checking on spamhaus.org I read that I was listed because my Broadband stick's IP was listed on cbl.abuseat.org. CBL explained exactly why I was listed and gave advice that I should identify the infected machine (if I could) and reformat. The IP address was from the Broadband stick which I had only used on my surface pro 3- so I reset the machine. At no have I been able to identify the bot and mbr infection using available security software.

Would appreciate if anyone knows of a suitable Linux or UNIX boot-up I can run to search PC's for the C&C IP address? Will be methodically checking our family machines to ensure we have done all we can.

I have already downloaded and installed the latest beta version of Premier for the surface pro 3 and am using our family broadband connection with a different IP address, for now.

Regards
Title: Re: cbl.abuseat.org says my ip address is NAT(ing) for torpig infected server
Post by: essexboy on March 01, 2015, 12:48:25 PM
Have you received any further warnings ?