Sobig.{E,D,EML} not found by Sophos and McAfee

Martin Sapsed m.sapsed at BANGOR.AC.UK
Tue Jul 1 12:25:56 IST 2003

Quentin Campbell wrote:
> We don't use quarantining at this site. But your suggestion is noted.
> :-)

Shame. I sent them some files which were quarantined because they had
.pif on the end. Subsequently an ide was released which identified them
as Bugbear-Dam - the broken variants.

> Good question. I cannot find this virus at the NAI site yet it is McAfee
> that is recognising it! The notification I got says:
> The following e-mail messages were found to have viruses in them:
>     Sender: auto.reply at
> IP Address:
>  Recipient: xxx at
>    Subject: Undeliverable Message
>  MessageID: h611uKu05157
>     Report: /h611uKu05157/msg-32244-1482.txt        Found the
> W32/Sobig.eml virus !!!
>>...what harm can it do in a .txt file?
> That is not the point unless you are suggesting that is why Sophos does
> not recognise it? The issue for me is why one A-V scanner finds it but
> another doesn't.

I wonder if it is a version of Sobig, in a message packaged up as email
attachment .eml file but then renamed as .txt? I don't know whether
Sophos would find anything in that - haven't got one to hand to try!

I'm more concerned about it missing instances of .D and .E unless
they're like the Bugbear incident - damaged versions that aren't
actually executable. It would still be nice to know though otherwise you
assume the worst.

(Incidentally we've picked up 732 copies of Sobig-E in the 5 days since
the ide was released - 22% of our detections for the whole of June, but
I digress...)



Martin Sapsed
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth

More information about the MailScanner mailing list