Sobig.{E,D,EML} not found by Sophos and McAfee
Martin Sapsed
m.sapsed at BANGOR.AC.UK
Tue Jul 1 12:25:56 IST 2003
Quentin Campbell wrote:
> We don't use quarantining at this site. But your suggestion is noted.
> :-)
Shame. I sent them some files which were quarantined because they had
.pif on the end. Subsequently an ide was released which identified them
as Bugbear-Dam - the broken variants.
> Good question. I cannot find this virus at the NAI site yet it is McAfee
> that is recognising it! The notification I got says:
>
> The following e-mail messages were found to have viruses in them:
>
> Sender: auto.reply at compuserve.com
> IP Address: 149.174.40.6
> Recipient: xxx at newcastle.ac.uk
> Subject: Undeliverable Message
> MessageID: h611uKu05157
> Report: /h611uKu05157/msg-32244-1482.txt Found the
> W32/Sobig.eml virus !!!
>
>>...what harm can it do in a .txt file?
>
> That is not the point unless you are suggesting that is why Sophos does
> not recognise it? The issue for me is why one A-V scanner finds it but
> another doesn't.
I wonder if it is a version of Sobig, in a message packaged up as email
attachment .eml file but then renamed as .txt? I don't know whether
Sophos would find anything in that - haven't got one to hand to try!
I'm more concerned about it missing instances of .D and .E unless
they're like the Bugbear incident - damaged versions that aren't
actually executable. It would still be nice to know though otherwise you
assume the worst.
(Incidentally we've picked up 732 copies of Sobig-E in the 5 days since
the ide was released - 22% of our detections for the whole of June, but
I digress...)
Cheers,
Martin
--
Martin Sapsed
Information Services "Who do you say I am?"
University of Wales, Bangor Jesus of Nazareth
More information about the MailScanner
mailing list