Updated: April 5, 2010

The Torpig, also known as Sinowal, malware places obfuscated malicious JavaScript into a website's web pages and or JavaScript files. The malicious code placed on the website's pages and JavaScript files is changed from time to time and may be removed altogether as well. To clean the website, the website needs to be reverted to a clean backup or the malicious code needs to be removed from the web pages and or JavaScript files. The malware also adds a backdoor script called mailcheck.php, which allows the hacker remote access to the website, on to the website which need to removed. The malware gains access to the website through FTP credentials that have been compromised by malware located on a computer that has accessed the website via FTP. To prevent the website from being reinfected the FTP password needs to be changed, the backdoor script(s) removed, and the malware removed from the infected computer before it used again to access the website via FTP.

Recent Script Format:

Recent Virus Scan Identifications: JS/Sinowal-G, Mal/ObfJS-AG, HTML:IFrame-KU [Trj], Trojan-Downloader.JS.Twetti.A, VirTool:JS/Obfuscator.M

Related:

Resources

• Request a Malware Review from Google
• Request a Malware Review from Yahoo
• Request a Malware Review from Bing
• Set Up a Google Malware Warning Email Alert
• Cross-Site Malware Warning
• Unobfuscate JavaScript Malware