Full Disclosure mailing list archives
Re: Bogus FBI Email
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 09 Jan 2004 23:48:03 +1300
"Casey Townsend" replied to Valdis Kletnieks: [restructured to correct for top posting-itis...]
W32/Sober-C, I believe. Consult your favorite AV vendor's info pages for details.I received the following private reply which makes me think it is NOT W32/Sober-C, as Norton would have caught it. "An associate of mine had this one hit his computer and he had to start from scratch with a complete rebuild. He told me he felt pretty stupid about it because he isn't one of the people that don't have a clue, but the fact that it was intimidating enough led him to open the mail and it ran. It got by Norton as well and he could not recover when it hit him. That is about all I know about it at this time."
Ahhh yes, a FOAF denial -- generally even harder to refute than "firsthand" FOAFs...
From the described content, the odds are phenomenally high that the
message he saw was produced by Sober.C. As to why NAV "missed" detecting the attachment (or not), there are myriad possible explanations, none of which can be satisfactorily divined from your friend's chronically deficient description of the events. However, based on much experience of such things in general (and some experience with Sober.C) I'll list, in no particular order, a few of the most likely explanations of NAV's failure in this case... 1. He had unwittingly turned off NAV's Email scanning... 2. ... or his kids deliberately turned it off to speed up their favourite shoot'em up. 3. He had been infested with some other, unknown to NAV (at the time), malware which disabled NAV before the message arrived. 4. His NAV update subscription has expired so he has not received a NAV update since before Symantec added detection of Sober.C. 5. Some other systematic problem has recently been introduced into his setup which has prevented NAV updating (how clueful is his ISP? Did he block LiveUpdate from accessing the Internet in the firewall?). 6. The copy of Sober.C attached to the message was truncated, and thus corrupted and (probably) unrunnable. Regardless of its runnability, NAV failed to detect it because some part of the file critical to NAV's detection of Sober.C is "missing". Yes, I've seen this with Sober.C. 7. The copy of Sober.C attached to the message has been infected with some other, parasitic PE infector which is now tagging along with Sober.C. Because this is a new virus, NAV may not detect it (and almost certainly wouldn't report Sober.C) I've not seen any other virus piggybacking with Sober.C yet, but based on much experience with other self-mailing PE viruses, it's only a matter of time... ...and many others I now can't be bothered describing. Anyway, the bogus FBI messages you asked about (plus several other interesting SE approaches) are used by Sober.C, and as of this writing _only_ by Sober.C. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Bogus FBI Email Casey Townsend (Jan 08)
- Re: Bogus FBI Email Valdis . Kletnieks (Jan 08)
- <Possible follow-ups>
- Re: Bogus FBI Email Casey Townsend (Jan 08)
- Re: Bogus FBI Email Nick FitzGerald (Jan 09)