Hmmm; Now isn’t this fun
Our IDS was tossing out the following message: ET TROJAN Tornado Pack Binary Request for one of the users, along with various others.
After some inspection; first running the local AV solution, and other solutions like Malwarebytes which did not locate the infection. I then loaded up Sysinternals Suite App, TCPView which showed several outbound connections to remote hosts. Using Process Explorer also by Sysinternals I was able to search the handle of the wow.dll discovered in TCPView. The process was bound to explorer.exe
My inspection took me to the following location: AppDataRoamingsrpetxnshntexqwow.dll where I found the virus .dll file and a config file ending in .ini with the the following contents:
[main]
version=3.0
aid=031
servers=deppeppepp.com:80; gangganggg.com:80;188.165.232.20:80;
knock=188.165.232.20
This seems to be a control file for the virus.
For now the issue remains unresolved and the users computer is set for a new image. I will be playing with the virus more in hopes to learn more of what it does and how to quickly identify it in the future. I do however think this is a Troj/Mdrop* type of infection or some variant