lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: thalm at netcabo.pt (Tiago Halm) Subject: FW: Fake Email (Update) Thanks to all! My only doubt was the writing of the email, but with your link things got clear. Tiago Halm > Knock Knock, I'm Sober.C > Yes, I'm a virus/worm. I spread via file sharing on > peer-to-peer networks > and by emailing. > Just have a look at > http://www.sophos.com/virusinfo/analyses/w32soberc.html > and close this thread. > > > ISS > > <<snip>> > > Size: 74142 bytes > > > > Executed strings (ANSI and UNICODE) on it, but could not > find anything > > relevant. > > Because it is compressed -- at runtime a stub routine > decompresses the bulk > of the .EXE file into memory, fixes things up and then starts "normal" > execution of the program... > > > Also ran DUMPBIN /ALL and saw only the following imports: > > > > Section contains the following imports: > > > > KERNEL32.DLL > <<snip>> > > MSVBVM60.DLL > <<snip>> > > Does anyone recognize something with this? > > From the above and earlier clues, it sounds like it should be > Sober.C (or > perhaps a similar, new Sober variant?). Does a reliable, > up-to- date virus > scanner detect it? > > > I someone needs the attachment, I'll send it zipped by email. > > If it is not detected by major virus scanners, send a sample to their > developers. No-one else "needs" it... > > > -- > Nick FitzGerald
Powered by blists - more mailing lists