RE: Ruh-Roh SOBIG.G?
I have received one classic Swen.A message with an SCR attachment.
What does this have to do with Sobig.x?
Most likely we are seeing the results of secondary file infectors -
Yaha, Klez, Bugbear, etc. Virus detection is generally "first and out".
I have previously seen file infectors piggybacking on the virus du jour.
Plus jerks spamming out custom trojans. Some of them might hide their
payload as a file infection inside a common malware whose social
engineering has been successful. This has the benefit to the jerk of
delaying AV company detection of his malware. Recipients who open the
attachment get the alert from their AV software and they think they were
protected, while the trojan continues its business unimpeded. Depending
on many factors of course.
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@xxxxxxxxxxxxxxxx]
> Sent: Friday, September 26, 2003 6:45 AM
> To: kruse@xxxxxxxxxxx; 'Liviu Daia'; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Ruh-Roh SOBIG.G?
>
>
> I thought it had expired on 9/10, and it did stop coming for
> a while. I'm seeing it
> again too; actually, I'm seeing two different attachment
> sizes in the new ones, one
> around 70K and the other around 100K.
>
> Did someone reissue Sobig.F with a new expiration date?
>
> Larry Seltzer
> Security Editor, eWEEK.com
> http://security.eweek.com/
> larryseltzer@xxxxxxxxxxxxx
>
> -----Original Message-----
> From: Peter Kruse [mailto:kruse@xxxxxxxxxxxxxxxx]
> Sent: Thursday, September 25, 2003 6:02 PM
> To: 'Liviu Daia'; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: SV: Ruh-Roh SOBIG.G?
>
>
> Hi,
>
> There is no new Sobig worm here. I just ran through samples
> received by the original
> poster and I can confirm that these are all Sobig-F samples.
> The worm is known to be
> polymorphic which by nature will change the size and content
> of the code. Nothing new
> here.
>
> Kind regards // Med venlig hilsen
>
> Peter Kruse
> CSIS / Kruse Security ApS
> http://www.krusesecurity.dk
>
>