[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003601c3fe18$536e3eb0$0b0010ac@Casa.Local>
From: thalm at netcabo.pt (Tiago Halm)
Subject: FW: Fake Email (Update)
Thanks to all!
My only doubt was the writing of the email, but with your link things got
clear.
Tiago Halm
> Knock Knock, I'm Sober.C
> Yes, I'm a virus/worm. I spread via file sharing on
> peer-to-peer networks
> and by emailing.
> Just have a look at
> http://www.sophos.com/virusinfo/analyses/w32soberc.html
> and close this thread.
>
>
> ISS
>
> <<snip>>
> > Size: 74142 bytes
> >
> > Executed strings (ANSI and UNICODE) on it, but could not
> find anything
> > relevant.
>
> Because it is compressed -- at runtime a stub routine
> decompresses the bulk
> of the .EXE file into memory, fixes things up and then starts "normal"
> execution of the program...
>
> > Also ran DUMPBIN /ALL and saw only the following imports:
> >
> > Section contains the following imports:
> >
> > KERNEL32.DLL
> <<snip>>
> > MSVBVM60.DLL
> <<snip>>
> > Does anyone recognize something with this?
>
> From the above and earlier clues, it sounds like it should be
> Sober.C (or
> perhaps a similar, new Sober variant?). Does a reliable,
> up-to- date virus
> scanner detect it?
>
> > I someone needs the attachment, I'll send it zipped by email.
>
> If it is not detected by major virus scanners, send a sample to their
> developers. No-one else "needs" it...
>
>
> --
> Nick FitzGerald
Powered by blists - more mailing lists