Main Page 
PC Review
Forums
Newsgroups
Hardware
Anti-Virus
Sobig.D already here
Forums
Newsgroups
Hardware
Anti-Virus
Sobig.D already here
 |
Sobig.D already here |
|
|
Thread Tools | Rate Thread |
26-06-2003, 02:47 PM
|
#1 |
|
Guest
Posts: n/a
|
Sobig.D already here
Hi all, I received a mail with the subject "Re: Movie", and an attachment "your_details.zip", which extracts to "details.pif" This looked very Sobiggy, but my AntiVir didn't recognize it. A short glance at it with a hex viewer shows that it is packed with ASpack. Am currently downloading the newest AntiVir, to identify it. So take care. Gabriele Neukam Gabriele.Neukam@t-online.de -- Ah, Information. A good, too valuable theses days, to give it away, just so, at no cost. |
|
|
26-06-2003, 08:35 PM
|
#2 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
On Thu, 26 Jun 2003 19:42:28 +0200, Gabriele Neukam
<Gabriele.Neukam@t-online.de> wrote: >Ok, after looking up Sophos, I know it is Sobig.E. It looks like the >programmer wasn't too content with the results of version d. No offense, good you spotted it before any harm done. jari |
|
|
|
27-06-2003, 12:44 AM
|
#3 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
"Gabriele Neukam" <Gabriele.Neukam@t-online.de> wrote:
> I received a mail with the subject "Re: Movie", and an attachment > "your_details.zip", which extracts to "details.pif" > > This looked very Sobiggy, but my AntiVir didn't recognize it. A short > glance at it with a hex viewer shows that it is packed with ASpack. Am > currently downloading the newest AntiVir, to identify it. I see you already discovered it was, in fact, SObig.E. Sobig.D was about ten days ago (from memory) and did not make anything like the "splash" of its predecessors and this successor... -- Nick FitzGerald |
|
|
|
27-06-2003, 03:35 AM
|
#4 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message news:3efb9386@clear.net.nz... > "Gabriele Neukam" <Gabriele.Neukam@t-online.de> wrote: > > > I received a mail with the subject "Re: Movie", and an attachment > > "your_details.zip", which extracts to "details.pif" > > > > This looked very Sobiggy, but my AntiVir didn't recognize it. A short > > glance at it with a hex viewer shows that it is packed with ASpack. Am > > currently downloading the newest AntiVir, to identify it. > > I see you already discovered it was, in fact, SObig.E. > > Sobig.D was about ten days ago (from memory) and did not make anything > like the "splash" of its predecessors and this successor... > > > -- > Nick FitzGerald > > Interesting (vaguely) AVG with DATs dated 25th (current I just checked their webpage) failed to detect it, even after I extracted the PIF from the archive, F-prot confirmed that it's live. Guess I'll mail it in... Ian |
|
|
|
27-06-2003, 03:54 AM
|
#5 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
"akhibby" <akhibby@hotmail.com> wrote in message news:vfnerg45svbf38@corp.supernews.com... > > "Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message > news:3efb9386@clear.net.nz... > > "Gabriele Neukam" <Gabriele.Neukam@t-online.de> wrote: > > > > > I received a mail with the subject "Re: Movie", and an attachment > > > "your_details.zip", which extracts to "details.pif" > > > > > > This looked very Sobiggy, but my AntiVir didn't recognize it. A short > > > glance at it with a hex viewer shows that it is packed with ASpack. Am > > > currently downloading the newest AntiVir, to identify it. > > > > I see you already discovered it was, in fact, SObig.E. > > > > Sobig.D was about ten days ago (from memory) and did not make anything > > like the "splash" of its predecessors and this successor... > > > > > > -- > > Nick FitzGerald > > > > > Interesting (vaguely) AVG with DATs dated 25th (current I just checked their > webpage) failed to detect it, even after I extracted the PIF from the > archive, F-prot confirmed that it's live. > > Guess I'll mail it in... > > Ian > Scratch that, they must have had two updates that day, I redownloaded and it picked it up fine. |
|
|
|
27-06-2003, 07:24 AM
|
#6 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
"akhibby" <akhibby@hotmail.com> wrote:
> Scratch that, they must have had two updates that day, I redownloaded and it > picked it up fine. Given the unexpected (initial) success of four of the five members of this family, and the enduring success of Sobif.A which did not have a built-in drop dead date (or has not yet reached it??), the appearance of a new SObig variant is likely to prompt all scanner developers to release new detection updates... -- Nick FitzGerald |
|
|
|
27-06-2003, 07:47 PM
|
#7 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
On that special day, Nick FitzGerald, (nick@virus-l.demon.co.uk) said...
> Given the unexpected (initial) success of four of the five members of > this family, and the enduring success of Sobif.A which did not have a > built-in drop dead date (or has not yet reached it??), the appearance > of a new SObig variant is likely to prompt all scanner developers to > release new detection updates... Sigh. Just today I was sent an "E" _and_ an "A". Is there _any_ info, whether the later versions do install mass mailing trojans, like the first one, described in: http://www.lurhq.com/sobig.htm The expiration date makes me believe that the programmer uses a "hit and run" tactic, have the worm spread, provide a server for the trojan to download, and have said server "vanish" two or three weeks later, before it is tracked by virus analysts. That would be just mean. What i hate about Sobig.E: It is packed with ASpack, which doesn't have an uncompress option, so that I cannot analyze it to see if there is an URL it would contact. Gabriele Neukam Gabriele.Neukam@t-online.de -- Ah, Information. A good, too valuable theses days, to give it away, just so, at no cost. |
|
|
|
28-06-2003, 01:39 PM
|
#8 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
"Gabriele Neukam" <Gabriele.Neukam@t-online.de> wrote:
> Is there _any_ info, whether the later versions do install mass mailing > trojans, like the first one, described in: > http://www.lurhq.com/sobig.htm To date (subsequent to the snafu over .A), the download sites coded into Sobig (and those pointed to be the "locator" file hosted thereon before we could get them closed) have been pretty promptly closed and (generally) someone has monitored those sites for updates/changes until they have been closed. > The expiration date makes me believe that the programmer uses a "hit and > run" tactic, have the worm spread, provide a server for the trojan to > download, and have said server "vanish" two or three weeks later, before > it is tracked by virus analysts. Well, you can think that but typically it takes a few hours from release to capture and analysis and then a few more hours to a day or two to get the hosting sites killed. It certainly does not take us "weeks" to get on top of this (the biggest delays by far are getting through to the abuse folks at the hosting companies and getting them to remove _and permanently block_ the update sites). > That would be just mean. > > What i hate about Sobig.E: It is packed with ASpack, which doesn't have > an uncompress option, so that I cannot analyze it to see if there is an > URL it would contact. Well, just because the ASPack packer does not provide it does not mean that ASPack-ed EXEs cannot be unpacked. Try Googling "aspack unpacker" or similar (though you may wish to run the tools you find on a goat or in a VM...). -- Nick FitzGerald |
|
|
|
28-06-2003, 06:21 PM
|
#9 |
|
Guest
Posts: n/a
|
Re: Sobig.D already here
On that special day, Nick FitzGerald, (nick@virus-l.demon.co.uk) said...
> > The expiration date makes me believe that the programmer uses a "hit and > > run" tactic, .... > Well, you can think that but typically it takes a few hours from release > to capture and analysis and then a few more hours to a day or two to get > the hosting sites killed. It certainly does not take us "weeks" to get > on top of this (the biggest delays by far are getting through to the > abuse folks at the hosting companies and getting them to remove _and > permanently block_ the update sites). I didn't assume that you are slow, only that maybe _some_ server hosters might be slow at cooperating (especially if they are amateurs, and their machine was root kit trojanized). If the worm makes use of infos from maintained servers, it is easier to shut its source down. Maybe the programmer should reduce the "spreading time" to something below seven days; this would spare one or another specimen about which i might have to complain. Today I was sent one from China. The weirdest fact seems to be, that the spreaders aren't the usual dumbheads which click on everything which they might ever see, but in Germany a lot of mails are sent from high schiils and universities. Maybe due to the "details" portion in the filename. "Details" lokks like the mail is important, maybe about an application, or will the fund´ing be granted, or how the research went on, and so on. Sobig.E makes makes intellectuals look rather stupid. Gabriele Neukam Gabriele.Neukam@t-online.de -- Ah, Information. A good, too valuable theses days, to give it away, just so, at no cost. |
|
|
|
|
| Thread Tools | |
| Rate This Thread | |
|
|
