[31833] in bugtraq
RE: Ruh-Roh SOBIG.G?
daemon@ATHENA.MIT.EDU (Larry Seltzer)
Fri Sep 26 14:09:15 2003
From: "Larry Seltzer" <larry@larryseltzer.com>
To: <kruse@railroad.dk>, "'Liviu Daia'" <Liviu.Daia@imar.ro>,
<bugtraq@securityfocus.com>
Date: Fri, 26 Sep 2003 06:45:15 -0400
Message-ID: <004901c3841b$4bacdff0$5b00005a@moregarlic.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
In-Reply-To: <000901c383b0$b3dc7c40$0202a8c0@teliahomebase>
I thought it had expired on 9/10, and it did stop coming for a while. I'm seeing it
again too; actually, I'm seeing two different attachment sizes in the new ones, one
around 70K and the other around 100K.
Did someone reissue Sobig.F with a new expiration date?
Larry Seltzer
Security Editor, eWEEK.com
http://security.eweek.com/
larryseltzer@ziffdavis.com
-----Original Message-----
From: Peter Kruse [mailto:kruse@krusesecurity.dk]
Sent: Thursday, September 25, 2003 6:02 PM
To: 'Liviu Daia'; bugtraq@securityfocus.com
Subject: SV: Ruh-Roh SOBIG.G?
Hi,
There is no new Sobig worm here. I just ran through samples received by the original
poster and I can confirm that these are all Sobig-F samples. The worm is known to be
polymorphic which by nature will change the size and content of the code. Nothing new
here.
Kind regards // Med venlig hilsen
Peter Kruse
CSIS / Kruse Security ApS
http://www.krusesecurity.dk
