----- Original Message ----- From: "Jonathan A. Zdziarski" <jonathanat_private> To: "Alex Naveira (IT)" <alex.naveiraat_private> Cc: <incidentsat_private> Sent: Tuesday, August 19, 2003 1:12 PM Subject: SoBig.F (Was: document _ all. p i f) | It appears that there are not only a significant number of different | filenames floating around, but each file is also a different size, | including the ones of the same filename. A brief look at the last | recent messages I've gotten reveals there's not one that is the same: [sliced for brevity] | There's a lot of useful info on the F-Secure and Norton pages, but I | don't see anything about it mutating. I wonder if it is storing some | kind of source information from each machine. | | Guess it's time to disassemble it. The virus collects some data from each infected system - this data is appended to infectious files. From one system to the next, the virus file will be different, and of different size. The body of the virus is almost 72Kb with some appended data accounting for the difference in sizes. The virus ends at hex 0x119FF when viewed in a hex editor - garbage is appended after this offset. Regards, Patrick Nolan Virus Researcher - Fortinet pnolanat_private 503-844-5998 (hm) 503-341-6335 (cell) --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 20 2003 - 16:44:02 PDT