lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003601c3fe18$536e3eb0$0b0010ac@Casa.Local>
From: thalm at netcabo.pt (Tiago Halm)
Subject: FW: Fake Email (Update)

Thanks to all!
My only doubt was the writing of the email, but with your link things got
clear.

Tiago Halm

> Knock Knock, I'm Sober.C
> Yes, I'm a virus/worm. I spread via file sharing on 
> peer-to-peer networks
> and by emailing. 
> Just have a look at 
> http://www.sophos.com/virusinfo/analyses/w32soberc.html
> and close this thread. 
> 
> 
> ISS

> 
> <<snip>>
> > Size: 74142 bytes
> > 
> > Executed strings (ANSI and UNICODE) on it, but could not 
> find anything 
> > relevant.
> 
> Because it is compressed -- at runtime a stub routine 
> decompresses the bulk
> of the .EXE file into memory, fixes things up and then starts "normal"
> execution of the program...
> 
> > Also ran DUMPBIN /ALL and saw only the following imports:
> > 
> > Section contains the following imports:
> > 
> >     KERNEL32.DLL
> <<snip>> 
> >     MSVBVM60.DLL
> <<snip>>
> > Does anyone recognize something with this?
> 
> From the above and earlier clues, it sounds like it should be 
> Sober.C (or
> perhaps a similar, new Sober variant?).  Does a reliable, 
> up-to- date virus
> scanner detect it?
> 
> > I someone needs the attachment, I'll send it zipped by email.
> 
> If it is not detected by major virus scanners, send a sample to their
> developers.  No-one else "needs" it...
> 
> 
> -- 
> Nick FitzGerald


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ