University of California, Riverside


Mebroot/Torpig Virus

New Mebroot/MBR/Torpig malware infecting campus computers

There is a malicious rootkit known as Mebroot that is often associated with various botnet infections, including Torpig. Torpig is malware designed to harvest sensitive information from an unsuspecting user, especially banking information.  This type of malware infects Windows machines only, Apple computers are not affected.

Currently, there is no noticeable indication you have this rootkit.  However, there is certain network traffic which C&C will detect signifying this infection.  If a computer is detected within the UCR Network with Mebroot or any malware associated with the Torpig (or similar) botnet, the following actions will be taken:

  • The primary user or owner of the computer will be notified that they have the botnet.
  • The user's departmental IT contact will be notified of the user's name and the IP address of the infected machine.
  • The C&C Help Desk will be notified of infected computers belonging to faculty or staff, and the C&C Student Computing Help Desk will be notified of students with infected machines.
  • The infected computers of faculty or staff will have their network connection turned off to prevent further malicious traffic related to the botnet. Students will have their wireless authentication disabled and will be notified of their infection via e-mail.

In order for the network connection to be reactivated, the infected computer must be thoroughly cleaned. A simple virus scan may find some form of this trojan, however, removing this type of malware takes more than virus scanning. If a virus scan is done and nothing more, the machine will become re-infected.

Cleanup of a Mebroot/Torpig infected computer should follow the process outlined below. Please note: this process should be performed by qualified and experienced technicians. Also, before starting these instructions below, all data on the computer (documents, personal files, etc.) must be backed up, as the system will be wiped clean.

  1. The Master Boot Record (MBR) of the infected computer must be wiped.
  2. The hard drive of the infected computer must be reformatted.
  3. The OS must be reinstalled (or restored from a known clean image).
  4. The OS must be brought up to date with all OS updates.
  5. All applications will need to be reinstalled with the latest, patched versions.
  6. The computer must be brought up to the Minimum Standards as defined by the UCR Minimum Standards policy. This includes installing and anti-virus/anti-spyware program such as the campus provided Sophos product.

It is critical to follow the above steps as recommended in order to correctly clean any host infected with Mebroot, Torpig, or related botnet malware. 

Failure to comply will most likely result in reinfection and continued botnet activity from the respective host. This will result in network disconnection and further remediation by UCR Computing.

C&C will be looking for new tools to help users spot this infection and perhaps anti-virus updates to help stop the spread, please check back for future updates.

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541