Sobig.{E,D,EML} not found by Sophos and McAfee - further info

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Tue Jul 1 12:33:44 IST 2003

> -----Original Message-----
> From: Quentin Campbell [mailto:Q.G.Campbell at] 
> Sent: 01 July 2003 10:40
> Subject: Re: Sobig.{E,D,EML} not found by Sophos and McAfee
> > By the way, what's Sobig.EML and ...
> Good question. I cannot find this virus at the NAI site yet 
> it is McAfee that is recognising it! The notification I got says:
> The following e-mail messages were found to have viruses in them:
>     Sender: auto.reply at
> IP Address:
>  Recipient: xxx at
>    Subject: Undeliverable Message
>  MessageID: h611uKu05157
>     Report: /h611uKu05157/msg-32244-1482.txt        Found the
> W32/Sobig.eml virus !!!
> > ...what harm can it do in a .txt file?
> That is not the point unless you are suggesting that is why 
> Sophos does not recognise it? The issue for me is why one A-V 
> scanner finds it but another doesn't.

The one thing all these messages have in common are that they are bounce
messages of one sort or another:

 o undeliverable message 
 o failure notice
 o returned mail - nameserver error ...

It appears that they retain some sort of "signature" text, probably
harmless, that the McAfee scanner recognises but not the Sophos scanner.
Does this sound plausible? 

Note that this applies to both "Sobig.e", "Sobig.d" and "Sobig.eml"
(what ever that is).

The latter suggests an alternative theory that it might be MailScanner
wrongly picking up a string from the McAfee scanner or wrongly reporting
a string that it has; that is, it reports as "Sobig.eml" a string that
is something else? 

I will see if I can quarantine some of these messages.

PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
"Any opinion expressed above is mine. The University can get its own." 


More information about the MailScanner mailing list