RE: [Full-Disclosure] FW: Fake Email (Update)
From: Tiago Halm (thalm_at_netcabo.pt)
To: <firstname.lastname@example.org>, <email@example.com> Date: Sat, 28 Feb 2004 16:31:30 -0000
Thanks to all!
My only doubt was the writing of the email, but with your link things got
> Knock Knock, I'm Sober.C
> Yes, I'm a virus/worm. I spread via file sharing on
> peer-to-peer networks
> and by emailing.
> Just have a look at
> and close this thread.
> > Size: 74142 bytes
> > Executed strings (ANSI and UNICODE) on it, but could not
> find anything
> > relevant.
> Because it is compressed -- at runtime a stub routine
> decompresses the bulk
> of the .EXE file into memory, fixes things up and then starts "normal"
> execution of the program...
> > Also ran DUMPBIN /ALL and saw only the following imports:
> > Section contains the following imports:
> > KERNEL32.DLL
> > MSVBVM60.DLL
> > Does anyone recognize something with this?
> From the above and earlier clues, it sounds like it should be
> Sober.C (or
> perhaps a similar, new Sober variant?). Does a reliable,
> up-to- date virus
> scanner detect it?
> > I someone needs the attachment, I'll send it zipped by email.
> If it is not detected by major virus scanners, send a sample to their
> developers. No-one else "needs" it...
> Nick FitzGerald
Full-Disclosure - We believe in it.