Full Disclosure mailing list archives

AW: FW: Fake Email (Update)


From: <iss () uni de>
Date: Sat, 28 Feb 2004 10:41:05 +0100

Knock Knock, I'm Sober.C
Yes, I'm a virus/worm. I spread via file sharing on peer-to-peer networks
and by emailing. 
Just have a look at http://www.sophos.com/virusinfo/analyses/w32soberc.html
and close this thread. 


ISS

-----Ursprüngliche Nachricht-----
Von: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] Im Auftrag von Nick
FitzGerald
Gesendet: Samstag, 28. Februar 2004 03:21
An: full-disclosure () lists netsys com
Betreff: Re: [Full-Disclosure] FW: Fake Email (Update)

"Tiago Halm" <thalm () netcabo pt> wrote:

<<snip>>
Size: 74142 bytes

Executed strings (ANSI and UNICODE) on it, but could not find anything 
relevant.

Because it is compressed -- at runtime a stub routine decompresses the bulk
of the .EXE file into memory, fixes things up and then starts "normal"
execution of the program...

Also ran DUMPBIN /ALL and saw only the following imports:

Section contains the following imports:

    KERNEL32.DLL
<<snip>> 
    MSVBVM60.DLL
<<snip>>
Does anyone recognize something with this?

From the above and earlier clues, it sounds like it should be Sober.C (or
perhaps a similar, new Sober variant?).  Does a reliable, up-to- date virus
scanner detect it?

I someone needs the attachment, I'll send it zipped by email.

If it is not detected by major virus scanners, send a sample to their
developers.  No-one else "needs" it...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: