[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3FFF3DB3.26827.3184C756@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Bogus FBI Email
"Casey Townsend" replied to Valdis Kletnieks:
[restructured to correct for top posting-itis...]
> > W32/Sober-C, I believe. Consult your favorite AV vendor's info
> > pages for details.
>
> I received the following private reply which makes me think it is NOT
> W32/Sober-C, as Norton would have caught it.
>
> "An associate of mine had this one hit his computer and he had to start
> from scratch with a complete rebuild. He told me he felt pretty stupid
> about it because he isn't one of the people that don't have a clue, but
> the fact that it was intimidating enough led him to open the mail and it
> ran. It got by Norton as well and he could not recover when it hit him.
> That is about all I know about it at this time."
Ahhh yes, a FOAF denial -- generally even harder to refute than
"firsthand" FOAFs...
>From the described content, the odds are phenomenally high that the
message he saw was produced by Sober.C. As to why NAV "missed"
detecting the attachment (or not), there are myriad possible
explanations, none of which can be satisfactorily divined from your
friend's chronically deficient description of the events. However,
based on much experience of such things in general (and some experience
with Sober.C) I'll list, in no particular order, a few of the most
likely explanations of NAV's failure in this case...
1. He had unwittingly turned off NAV's Email scanning...
2. ... or his kids deliberately turned it off to speed up their
favourite shoot'em up.
3. He had been infested with some other, unknown to NAV (at the time),
malware which disabled NAV before the message arrived.
4. His NAV update subscription has expired so he has not received a
NAV update since before Symantec added detection of Sober.C.
5. Some other systematic problem has recently been introduced into his
setup which has prevented NAV updating (how clueful is his ISP? Did he
block LiveUpdate from accessing the Internet in the firewall?).
6. The copy of Sober.C attached to the message was truncated, and thus
corrupted and (probably) unrunnable. Regardless of its runnability,
NAV failed to detect it because some part of the file critical to NAV's
detection of Sober.C is "missing". Yes, I've seen this with Sober.C.
7. The copy of Sober.C attached to the message has been infected with
some other, parasitic PE infector which is now tagging along with
Sober.C. Because this is a new virus, NAV may not detect it (and
almost certainly wouldn't report Sober.C) I've not seen any other
virus piggybacking with Sober.C yet, but based on much experience with
other self-mailing PE viruses, it's only a matter of time...
...and many others I now can't be bothered describing.
Anyway, the bogus FBI messages you asked about (plus several other
interesting SE approaches) are used by Sober.C, and as of this writing
_only_ by Sober.C.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists