Sobig.F@mm.enc

[Rose, Bobby]

I haven't actually seen it intact yet from the client side but I don't
think a user can get to it.  Actually Nav for Exchange replaces with a
text file and the text file is place into the same place as the sobig
code so you don't see the deleted.txt attachment either.

-----Original Message-----
From: Dustin Baer [mailto:dustin.baer at IHS.COM] 
Sent: Monday, September 08, 2003 1:50 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Sobig.F at mm.enc


Gerry Doris wrote:
>
> > Julian Field wrote:
> >>
> >> I can explain what is happening with all of these cases. A dumb MTA

> >> is rejecting the message, and including the entire content text of 
> >> the rejected message in the rejection notice, rather than just the 
> >> headers or the first few lines (which is what sensible ones do). As

> >> the MIME structure
> >> of the rejected message is completely broken by it being included
very
> >> simply in the rejection notice, your email app can't actually
decode the
> >> attachment anyway. So it's actually quite safe. But some AV
products
> >> generate a false alarm on it, Norton in particular.
> >
> > If anybody is interested, I have captured a qf/df pair that makes it

> > through MailScanner/Sophos email scanning and Lotus Notes/Symantec
> > (Norton) email scanning, yet is triggered by Symantec (Norton) on 
> > the desktop.
> >
> > http://www.pcisys.net/~baer/sobig/sobig-broken-mime.zip
> >
> > Dustin
> >
>
> Do you know if there is a real virus in the email or is it a damaged 
> virus that is harmless per Julian's note?
>
> Gerry

Well, it acts exactly like Julian discusses above, i.e. passes through
mail scanning software, but is caught by Norton on the desktop.

Then again, I suppose a smart person could extract it, decode it and it
would be the actual SoBig virus.

Dustin
--
Dustin Baer
Unix Administrator/Postmaster
Information Handling Services
15 Inverness Way East
Englewood, CO 80112
303-397-2836