Jump to content

Change Mode

Lan With Torpig/anserin: How To Reveal Which Pc?

Recommended Posts

Hello everybody.


I got an SMTP Server (Exchange 2003) which has got blacklistened and the reason CBL is telling me:


"This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at, with contents unique to Torpig C&C command protocols."


Now, I did my Malwarebytes' scans on each PC in that LAN, including the server itself: cleaned some stuff, but it seems not to be enough.

How do I now proceed to detect which host is infected?

And afterwards, how do I best clean it completely?


I was thinking about putting a sniffer (WireShark) in the network (inserting a hub between DSL router and main switch, on the hub also connecting the sniffer-PC).


What do you suggest?


Kind regards and TIA!


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...