Discussion:
Is this Sobig.G ?
(too old to reply)
Tim Shoppa
2003-08-26 00:25:55 UTC
Permalink
I got an E-mail with something that looks like Sobig.F but different:

Content-Type: application/x-msdownload; name="Customized.Theme.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Customized.Theme.pif"

The whole message (including attachment) is about 98K, a little smaller
than a real Sobig.F.

Arrived at my SMTP server at 20:05 EDT tonight, 25-Aug-2003.

Tim.
Bad Dog
2003-08-26 04:21:50 UTC
Permalink
Post by Tim Shoppa
Content-Type: application/x-msdownload; name="Customized.Theme.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Customized.Theme.pif"
The whole message (including attachment) is about 98K, a little smaller
than a real Sobig.F.
Arrived at my SMTP server at 20:05 EDT tonight, 25-Aug-2003.
Tim.
I think it's safe to say that it is a virus and it is the right size for the
sobig worm, but the subject of the message and the text in the body of the
message would help to tell more. What did the antivirus scan say it was.
Christopher Grenness
2003-08-26 15:49:03 UTC
Permalink
Post by Bad Dog
Post by Tim Shoppa
Content-Type: application/x-msdownload; name="Customized.Theme.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Customized.Theme.pif"
The whole message (including attachment) is about 98K, a little smaller
than a real Sobig.F.
Arrived at my SMTP server at 20:05 EDT tonight, 25-Aug-2003.
Tim.
I think it's safe to say that it is a virus and it is the right size for the
sobig worm, but the subject of the message and the text in the body of the
message would help to tell more.
No body, only the named attachment.
Subject was simply "Re: Hi".
Post by Bad Dog
What did the antivirus scan say it was.
No anti-virus software here... but unlike Sobig.F, which is rejected by
SpamAssasin for numerous spam-like attributes, this latest one did not
score high on the Spam score.
Did you try one of the online AV services, like Housecall @ trend
micro?
--
To reply via email, please use "grenness" instead of "kwjhdwedjw"
and ".com" instead of ".invalid"
Etaoin Shrdlu
2003-08-26 04:14:07 UTC
Permalink
Post by Tim Shoppa
The whole message (including attachment) is about 98K, a little smaller
than a real Sobig.F.
Maybe it's Sosmall.G

[ducks - runs]
--
*** Remove +FROM+CRATE+ to e-mail me ***

You know you are getting old when the candles cost more than the cake.
- Bob Hope
W.S. Blevins
2003-08-26 12:42:31 UTC
Permalink
Wouldn't the common sense approach be to scan it with an up to date AV
product and/or send a sample to a reputable AV lab?
FromTheRafters
2003-08-26 15:37:52 UTC
Permalink
Post by Tim Shoppa
Content-Type: application/x-msdownload
Maybe it is a downloader trojan.....
Loading...