Sinowell or torpig trojan

[AlbertLionheart]

Anyone else come across this one?
I have a client with it on the system and at this stage it only shows itself as a change to a bank login page (asks for full pin and password - otherwise a perfect copy of the original). I am told that the virus changes it's signatures through access to a server and has been known to kill itself.
Kaspersky will stop it getting onto a system but is unable to remove it once present. The only other AV package supposed to be able to stop it is F-Secure.
It also attaches itself to the MBR and again I am told that this cannot be cleared, even with a low level format so the recommendation is to replace the hard drive. This last came from the NatWest Bank who seem very worried but do not have any other solution.
It has been around for about 18 months but is so good at hiding itself that there is no real idea of how many infected machines there are out there. Propagation by email attachments and websites.
I was able to remove it from this system once using Hijackthis but the client revisited the website (a family history site we think) and promptly reinfected the machine.
I have been instructed to replace the hard drive so that is what I will do.

Anybody have anything to add to that lot?

 

[Blind Dragon]

If they got it from a website then they had to of accepted a codec. Also, if it was a legit website then that site needs to be informed that they have been hit with an iframe attack.

There was a program I used to use and I will look up the name of it that rewrites the harddrive with 0's and 1's for X number of passes. Killdisk I think it was - it just fills the hard drive with 0's - run it for 7 passes or so and you should at least be able to reuse the hard drive

Edit: I am sure you have seen this before Albert
http://www.killdisk.com/downloadfree.htm

Active@ KillDisk conforms to US Department of Defense clearing and sanitizing standard DoD 5220.22-M. The most secure Gutmann's data destruction method is also implemented.

 

[rf6647]

One piece of folklore on this. My reference uses the spelling 'Sinowal', but claims to have the characteristic of attacking the MBR. Furthermore, Sinowal appears to be very sophisticated and has links to organized crime.

I posted "all clear" in this thread since my reference was from a year ago and there are other forms of malware that have names with 'sinowal' as part of the name.

It appears that MBAM detects & removes this threat.

I did a quick dip @NatWest Bank, but I did not see the advisory about discarding infected hard drives.

 

[AlbertLionheart]

thanks for that - the NatWest comment was verbal from their security team so may not be strictly approved!
The problem with this is that it appears to be very difficult to detect once on a system - so how do I know if I have cleared it?? Hence I suspect the suggestion of a replacement HDD.