RE: [Full-Disclosure] FW: Fake Email (Update)

From: Tiago Halm (thalm_at_netcabo.pt)
Date: 02/28/04

  • Next message: Roy M. Silvernail: "Re: [Full-Disclosure] Re: Windows 2000 Source Code" 
    To: <iss@uni.de>, <full-disclosure@lists.netsys.com>
Date: Sat, 28 Feb 2004 16:31:30 -0000

    Thanks to all!
    My only doubt was the writing of the email, but with your link things got
    clear.

    Tiago Halm

    > Knock Knock, I'm Sober.C
    > Yes, I'm a virus/worm. I spread via file sharing on
    > peer-to-peer networks
    > and by emailing.
    > Just have a look at
    > http://www.sophos.com/virusinfo/analyses/w32soberc.html
    > and close this thread.
    >
    >
    > ISS

    >
    > <<snip>>
    > > Size: 74142 bytes
    > >
    > > Executed strings (ANSI and UNICODE) on it, but could not
    > find anything
    > > relevant.
    >
    > Because it is compressed -- at runtime a stub routine
    > decompresses the bulk
    > of the .EXE file into memory, fixes things up and then starts "normal"
    > execution of the program...
    >
    > > Also ran DUMPBIN /ALL and saw only the following imports:
    > >
    > > Section contains the following imports:
    > >
    > > KERNEL32.DLL
    > <<snip>>
    > > MSVBVM60.DLL
    > <<snip>>
    > > Does anyone recognize something with this?
    >
    > From the above and earlier clues, it sounds like it should be
    > Sober.C (or
    > perhaps a similar, new Sober variant?). Does a reliable,
    > up-to- date virus
    > scanner detect it?
    >
    > > I someone needs the attachment, I'll send it zipped by email.
    >
    > If it is not detected by major virus scanners, send a sample to their
    > developers. No-one else "needs" it...
    >
    >
    > --
    > Nick FitzGerald

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Roy M. Silvernail: "Re: [Full-Disclosure] Re: Windows 2000 Source Code"