Bugtraq mailing list archives
RE: Ruh-Roh SOBIG.G?
From: "James C. Slora, Jr." <james.slora () phra com>
Date: Fri, 26 Sep 2003 15:22:45 -0400
I have received one classic Swen.A message with an SCR attachment. What does this have to do with Sobig.x? Most likely we are seeing the results of secondary file infectors - Yaha, Klez, Bugbear, etc. Virus detection is generally "first and out". I have previously seen file infectors piggybacking on the virus du jour. Plus jerks spamming out custom trojans. Some of them might hide their payload as a file infection inside a common malware whose social engineering has been successful. This has the benefit to the jerk of delaying AV company detection of his malware. Recipients who open the attachment get the alert from their AV software and they think they were protected, while the trojan continues its business unimpeded. Depending on many factors of course.
-----Original Message----- From: Larry Seltzer [mailto:larry () larryseltzer com] Sent: Friday, September 26, 2003 6:45 AM To: kruse () railroad dk; 'Liviu Daia'; bugtraq () securityfocus com Subject: RE: Ruh-Roh SOBIG.G? I thought it had expired on 9/10, and it did stop coming for a while. I'm seeing it again too; actually, I'm seeing two different attachment sizes in the new ones, one around 70K and the other around 100K. Did someone reissue Sobig.F with a new expiration date? Larry Seltzer Security Editor, eWEEK.com http://security.eweek.com/ larryseltzer () ziffdavis com -----Original Message----- From: Peter Kruse [mailto:kruse () krusesecurity dk] Sent: Thursday, September 25, 2003 6:02 PM To: 'Liviu Daia'; bugtraq () securityfocus com Subject: SV: Ruh-Roh SOBIG.G? Hi, There is no new Sobig worm here. I just ran through samples received by the original poster and I can confirm that these are all Sobig-F samples. The worm is known to be polymorphic which by nature will change the size and content of the code. Nothing new here. Kind regards // Med venlig hilsen Peter Kruse CSIS / Kruse Security ApS http://www.krusesecurity.dk
Current thread:
- Ruh-Roh SOBIG.G? Dragos Ruiu (Sep 25)
- Re: Ruh-Roh SOBIG.G? Liviu Daia (Sep 25)
- SV: Ruh-Roh SOBIG.G? Peter Kruse (Sep 25)
- RE: Ruh-Roh SOBIG.G? Larry Seltzer (Sep 26)
- SV: Ruh-Roh SOBIG.G? Peter Kruse (Sep 25)
- Message not available
- Re: Ruh-Roh SOBIG.G? Dragos Ruiu (Sep 25)
- Re: Ruh-Roh SOBIG.G? Liviu Daia (Sep 25)
- Re: Ruh-Roh SOBIG.G? Valdis . Kletnieks (Sep 26)
- <Possible follow-ups>
- Re: Ruh-Roh SOBIG.G? Joe Stewart (Sep 25)
- RE: Ruh-Roh SOBIG.G? James C. Slora, Jr. (Sep 26)