This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark installed to monitor outgoing email traffic

0

I have a network with about 20 pcs running mainly XP. We got blacklisted and can't send email out anymore. Internet provider said we are infected by the torpig virus. I installed wireshark on a pc to monitor traffice and I have 4 days of data but don't know what to look for. Canyone help with this? ISP said it was made through an IP 91.19.36.89

asked 09 Aug '11, 09:19

sts's gravatar image

sts
1111
accept rate: 0%

One Answer:

1

Uh oh...

According to this document, section 5.1, Torpig communicates via HTTP POST requests that are pretty cryptic - meaning, that there is no human readable part in the post request, just HEX patterns.

In your case I'd filter out all packets that do POST request, like this: http.request.method==POST (put that into the filter entry bar just on top of the packet list, after loading one of your trace files). Then, do a comparision by eye to see if you can detect those cryptic patterns (the human eye is pretty good at this, so just scroll through the filtered packets).

If you see any, your provider was probably right. Then you need to determine which station it is on your network and take it down, backup all vital data, and reinstall it. Most forensic experts do not advise to try and clean the infected system unless you're a forensic expert yourself, because it is pretty hard to tell if you "got it all". Instead, do the reinstall and start with a clean slate.

answered 09 Aug '11, 09:30

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%