[Esd-l] Attachment of application.pif was not stripped

John D. Hardin jhardin at impsec.org
Sat Aug 23 07:47:36 PDT 2003

On Sat, 23 Aug 2003, Mike McCandless wrote:

> However, I'm confused about why the application.pif was not
> stripped by the Sanitizer.  The user in question got plenty of
> other .pif attachments, which were successfully stripped by the
> Sanitizer.  Any ideas?

The most likely possibility is that it's an older SoBig, one that
delivered the attack wrapped in a .ZIP file. Check the website for the
sample local-rules file that detects and quarantines this version.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   70 days until Matrix Revolutions

More information about the esd-l mailing list