Full Disclosure mailing list archives
Re: FW: Fake Email (Update)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 28 Feb 2004 15:20:53 +1300
"Tiago Halm" <thalm () netcabo pt> wrote: <<snip>>
Size: 74142 bytes Executed strings (ANSI and UNICODE) on it, but could not find anything relevant.
Because it is compressed -- at runtime a stub routine decompresses the bulk of the .EXE file into memory, fixes things up and then starts "normal" execution of the program...
Also ran DUMPBIN /ALL and saw only the following imports:
Section contains the following imports:
KERNEL32.DLL
<<snip>>
MSVBVM60.DLL
<<snip>>
Does anyone recognize something with this?
From the above and earlier clues, it sounds like it should be Sober.C
(or perhaps a similar, new Sober variant?). Does a reliable, up-to- date virus scanner detect it?
I someone needs the attachment, I'll send it zipped by email.
If it is not detected by major virus scanners, send a sample to their developers. No-one else "needs" it... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Fake Email Tiago Halm (Feb 27)
- Re: Fake Email martin f krafft (Feb 27)
- FW: Fake Email (Update) Tiago Halm (Feb 27)
- Re: FW: Fake Email (Update) Nick FitzGerald (Feb 27)
- AW: FW: Fake Email (Update) iss (Feb 28)
- RE: FW: Fake Email (Update) Tiago Halm (Feb 28)
- Re: FW: Fake Email (Update) Nick FitzGerald (Feb 27)
- RE: Fake Email Patrick Nolan (Feb 27)
- RE: Fake Email Aditya, ALD [Aditya Lalit Deshmukh] (Feb 28)