mailing list archives
RE: Ruh-Roh SOBIG.G?
From: "James C. Slora, Jr." <james.slora () phra com>
Date: Fri, 26 Sep 2003 15:22:45 -0400
I have received one classic Swen.A message with an SCR attachment.
What does this have to do with Sobig.x?
Most likely we are seeing the results of secondary file infectors -
Yaha, Klez, Bugbear, etc. Virus detection is generally "first and out".
I have previously seen file infectors piggybacking on the virus du jour.
Plus jerks spamming out custom trojans. Some of them might hide their
payload as a file infection inside a common malware whose social
engineering has been successful. This has the benefit to the jerk of
delaying AV company detection of his malware. Recipients who open the
attachment get the alert from their AV software and they think they were
protected, while the trojan continues its business unimpeded. Depending
on many factors of course.
From: Larry Seltzer [mailto:larry () larryseltzer com]
Sent: Friday, September 26, 2003 6:45 AM
To: kruse () railroad dk; 'Liviu Daia'; bugtraq () securityfocus com
Subject: RE: Ruh-Roh SOBIG.G?
I thought it had expired on 9/10, and it did stop coming for
a while. I'm seeing it
again too; actually, I'm seeing two different attachment
sizes in the new ones, one
around 70K and the other around 100K.
Did someone reissue Sobig.F with a new expiration date?
Security Editor, eWEEK.com
larryseltzer () ziffdavis com
From: Peter Kruse [mailto:kruse () krusesecurity dk]
Sent: Thursday, September 25, 2003 6:02 PM
To: 'Liviu Daia'; bugtraq () securityfocus com
Subject: SV: Ruh-Roh SOBIG.G?
There is no new Sobig worm here. I just ran through samples
received by the original
poster and I can confirm that these are all Sobig-F samples.
The worm is known to be
polymorphic which by nature will change the size and content
of the code. Nothing new
Kind regards // Med venlig hilsen
CSIS / Kruse Security ApS