RE: Ruh-Roh SOBIG.G?

To: <kruse@xxxxxxxxxxx>, "'Liviu Daia'" <Liviu.Daia@xxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Ruh-Roh SOBIG.G?
From: "Larry Seltzer" <larry@xxxxxxxxxxxxxxxx>
Date: Fri, 26 Sep 2003 06:45:15 -0400
Importance: Normal
In-reply-to: <000901c383b0$b3dc7c40$0202a8c0@teliahomebase>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I thought it had expired on 9/10, and it did stop coming for a while. I'm 
seeing it
again too; actually, I'm seeing two different attachment sizes in the new ones, 
one
around 70K and the other around 100K. 

Did someone reissue Sobig.F with a new expiration date?

Larry Seltzer
Security Editor, eWEEK.com
http://security.eweek.com/
larryseltzer@xxxxxxxxxxxxx 

-----Original Message-----
From: Peter Kruse [mailto:kruse@xxxxxxxxxxxxxxxx] 
Sent: Thursday, September 25, 2003 6:02 PM
To: 'Liviu Daia'; bugtraq@xxxxxxxxxxxxxxxxx
Subject: SV: Ruh-Roh SOBIG.G?


Hi,

There is no new Sobig worm here. I just ran through samples received by the 
original
poster and I can confirm that these are all Sobig-F samples. The worm is known 
to be
polymorphic which by nature will change the size and content of the code. 
Nothing new
here.

Kind regards // Med venlig hilsen

Peter Kruse
CSIS / Kruse Security ApS
http://www.krusesecurity.dk

References:
- SV: Ruh-Roh SOBIG.G?
  - From: Peter Kruse

Prev by Date: [SECURITY] [DSA-390-1] New marbles packages fix buffer overflow
Next by Date: RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Previous by thread: SV: Ruh-Roh SOBIG.G?
Next by thread: Re: Ruh-Roh SOBIG.G?
Index(es):
- Date
- Thread