[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] FW: Fake Email (Update)
- To: <iss@xxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] FW: Fake Email (Update)
- From: "Tiago Halm" <thalm@xxxxxxxxxx>
- Date: Sat, 28 Feb 2004 16:31:30 -0000
Thanks to all!
My only doubt was the writing of the email, but with your link things got
clear.
Tiago Halm
> Knock Knock, I'm Sober.C
> Yes, I'm a virus/worm. I spread via file sharing on
> peer-to-peer networks
> and by emailing.
> Just have a look at
> http://www.sophos.com/virusinfo/analyses/w32soberc.html
> and close this thread.
>
>
> ISS
>
> <<snip>>
> > Size: 74142 bytes
> >
> > Executed strings (ANSI and UNICODE) on it, but could not
> find anything
> > relevant.
>
> Because it is compressed -- at runtime a stub routine
> decompresses the bulk
> of the .EXE file into memory, fixes things up and then starts "normal"
> execution of the program...
>
> > Also ran DUMPBIN /ALL and saw only the following imports:
> >
> > Section contains the following imports:
> >
> > KERNEL32.DLL
> <<snip>>
> > MSVBVM60.DLL
> <<snip>>
> > Does anyone recognize something with this?
>
> From the above and earlier clues, it sounds like it should be
> Sober.C (or
> perhaps a similar, new Sober variant?). Does a reliable,
> up-to- date virus
> scanner detect it?
>
> > I someone needs the attachment, I'll send it zipped by email.
>
> If it is not detected by major virus scanners, send a sample to their
> developers. No-one else "needs" it...
>
>
> --
> Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html