[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] FW: Fake Email (Update)

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] FW: Fake Email (Update)
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 28 Feb 2004 15:20:53 +1300

"Tiago Halm" <thalm@xxxxxxxxxx> wrote:

<<snip>>
> Size: 74142 bytes
> 
> Executed strings (ANSI and UNICODE) on it, but could not find anything
> relevant.

Because it is compressed -- at runtime a stub routine decompresses the 
bulk of the .EXE file into memory, fixes things up and then starts 
"normal" execution of the program...

> Also ran DUMPBIN /ALL and saw only the following imports:
> 
> Section contains the following imports:
> 
>     KERNEL32.DLL
<<snip>> 
>     MSVBVM60.DLL
<<snip>>
> Does anyone recognize something with this?

From the above and earlier clues, it sounds like it should be Sober.C 
(or perhaps a similar, new Sober variant?).  Does a reliable, up-to-
date virus scanner detect it?

> I someone needs the attachment, I'll send it zipped by email.

If it is not detected by major virus scanners, send a sample to their 
developers.  No-one else "needs" it...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- AW: [Full-Disclosure] FW: Fake Email (Update)
  - From: iss

References:
- [Full-Disclosure] Fake Email
  - From: Tiago Halm
- [Full-Disclosure] FW: Fake Email (Update)
  - From: Tiago Halm

Prev by Date: RE: [Full-Disclosure] a question about e-mails
Next by Date: Re: [Full-Disclosure] OT: Re: Empty emails?
Previous by thread: [Full-Disclosure] FW: Fake Email (Update)
Next by thread: AW: [Full-Disclosure] FW: Fake Email (Update)
Index(es):
- Date
- Thread