Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Ruh-Roh SOBIG.G?
From: Joe Stewart <jstewart () lurhq com>
Date: Thu, 25 Sep 2003 16:40:48 -0400

On Thursday 25 September 2003 03:18 am, Dragos Ruiu wrote:
Now I noted with concern this morning that I started getting more
wicked screensavers. :-) Analysis indicates that this new nuisance of
this the newly ressurected malware does not correspond with any of
the earlier variants. (the files show the same variations in length
as the older SOBIG.F) I did a little poking at it and it seems to be
pretty similar to the old one. I can provide this to anyone who needs
it but you should have a copy of it already. :-(

It's probably from someone with their system date set back before the 
Sobig.f cutoff. You can easily differentiate between Sobig versions by 
reading the PE timestamp field. Below you can find a short Perl script 
I wrote to automate the process of retrieving the PE timestamp from an 
executable. Not every compiler sets this field with the compile date, 
but the one the Sobig author uses does (VC++).

If your pif sample was not compiled on Sun Aug 17 12:54:53 2003 then you 
have a different variant.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation


# read-pe-timestamp.pl 
# by Joe Stewart <jstewart () lurhq com>
# usage: ./read-pe-timestamp.pl <PE file>
# tested on Linux; Win32 users may need to add binmode()

use strict;

my $filename = $ARGV[0];
my $now = time;
my $old = 800000000;
die "Usage: $0 <PE file>\n" unless $filename;
open(IN, $filename) or die "Couldn't open $filename : $!\n";
for (0..255) {
        my $dword;
        read(IN, $dword, 4);
        next unless $dword eq "PE\x00\x00";
        read(IN, $dword, 4);
        read(IN, $dword, 4);
        my $t = unpack("N*", reverse($dword));
        my $time = localtime($t);
        print "$filename was compiled on $time\n";
        print "(Probably erroneous)\n" if ($t >= $now || $t <= $old);
        close IN;
close IN;
print "Could not find PE header in $filename\.\n";

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]