Full Disclosure mailing list archives
RE: FW: Fake Email (Update)
From: "Tiago Halm" <thalm () netcabo pt>
Date: Sat, 28 Feb 2004 16:31:30 -0000
Thanks to all! My only doubt was the writing of the email, but with your link things got clear. Tiago Halm
Knock Knock, I'm Sober.C Yes, I'm a virus/worm. I spread via file sharing on peer-to-peer networks and by emailing. Just have a look at http://www.sophos.com/virusinfo/analyses/w32soberc.html and close this thread. ISS
<<snip>>Size: 74142 bytes Executed strings (ANSI and UNICODE) on it, but could notfind anythingrelevant.Because it is compressed -- at runtime a stub routine decompresses the bulk of the .EXE file into memory, fixes things up and then starts "normal" execution of the program...Also ran DUMPBIN /ALL and saw only the following imports: Section contains the following imports: KERNEL32.DLL<<snip>>MSVBVM60.DLL<<snip>>Does anyone recognize something with this?From the above and earlier clues, it sounds like it should be Sober.C (or perhaps a similar, new Sober variant?). Does a reliable, up-to- date virus scanner detect it?I someone needs the attachment, I'll send it zipped by email.If it is not detected by major virus scanners, send a sample to their developers. No-one else "needs" it... -- Nick FitzGerald
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fake Email Tiago Halm (Feb 27)
- Re: Fake Email martin f krafft (Feb 27)
- FW: Fake Email (Update) Tiago Halm (Feb 27)
- Re: FW: Fake Email (Update) Nick FitzGerald (Feb 27)
- AW: FW: Fake Email (Update) iss (Feb 28)
- RE: FW: Fake Email (Update) Tiago Halm (Feb 28)
- Re: FW: Fake Email (Update) Nick FitzGerald (Feb 27)
- RE: Fake Email Patrick Nolan (Feb 27)
- RE: Fake Email Aditya, ALD [Aditya Lalit Deshmukh] (Feb 28)