Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Ruh-Roh SOBIG.G?
From: "James C. Slora, Jr." <james.slora () phra com>
Date: Fri, 26 Sep 2003 15:22:45 -0400

I have received one classic Swen.A message with an SCR attachment.

What does this have to do with Sobig.x?

Most likely we are seeing the results of secondary file infectors -
Yaha, Klez, Bugbear, etc. Virus detection is generally "first and out".
I have previously seen file infectors piggybacking on the virus du jour.

Plus jerks spamming out custom trojans. Some of them might hide their
payload as a file infection inside a common malware whose social
engineering has been successful. This has the benefit to the jerk of
delaying AV company detection of his malware. Recipients who open the
attachment get the alert from their AV software and they think they were
protected, while the trojan continues its business unimpeded. Depending
on many factors of course.

-----Original Message-----
From: Larry Seltzer [mailto:larry () larryseltzer com]
Sent: Friday, September 26, 2003 6:45 AM
To: kruse () railroad dk; 'Liviu Daia'; bugtraq () securityfocus com
Subject: RE: Ruh-Roh SOBIG.G?

I thought it had expired on 9/10, and it did stop coming for 
a while. I'm seeing it
again too; actually, I'm seeing two different attachment 
sizes in the new ones, one
around 70K and the other around 100K. 

Did someone reissue Sobig.F with a new expiration date?

Larry Seltzer
Security Editor, eWEEK.com
larryseltzer () ziffdavis com 

-----Original Message-----
From: Peter Kruse [mailto:kruse () krusesecurity dk] 
Sent: Thursday, September 25, 2003 6:02 PM
To: 'Liviu Daia'; bugtraq () securityfocus com
Subject: SV: Ruh-Roh SOBIG.G?


There is no new Sobig worm here. I just ran through samples 
received by the original
poster and I can confirm that these are all Sobig-F samples. 
The worm is known to be
polymorphic which by nature will change the size and content 
of the code. Nothing new

Kind regards // Med venlig hilsen

Peter Kruse
CSIS / Kruse Security ApS

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]