| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4040B1D5.31942.7D4C9EE7@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: FW: Fake Email (Update) "Tiago Halm" <thalm@...cabo.pt> wrote: <<snip>> > Size: 74142 bytes > > Executed strings (ANSI and UNICODE) on it, but could not find anything > relevant. Because it is compressed -- at runtime a stub routine decompresses the bulk of the .EXE file into memory, fixes things up and then starts "normal" execution of the program... > Also ran DUMPBIN /ALL and saw only the following imports: > > Section contains the following imports: > > KERNEL32.DLL <<snip>> > MSVBVM60.DLL <<snip>> > Does anyone recognize something with this? >From the above and earlier clues, it sounds like it should be Sober.C (or perhaps a similar, new Sober variant?). Does a reliable, up-to- date virus scanner detect it? > I someone needs the attachment, I'll send it zipped by email. If it is not detected by major virus scanners, send a sample to their developers. No-one else "needs" it... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists