Re: Ruh-Roh SOBIG.G?

[Joe Stewart <jstewart@xxxxxxxxx>]

On Thursday 25 September 2003 03:18 am, Dragos Ruiu wrote:
> Now I noted with concern this morning that I started getting more
> wicked screensavers. :-) Analysis indicates that this new nuisance of
> this the newly ressurected malware does not correspond with any of
> the earlier variants. (the files show the same variations in length
> as the older SOBIG.F) I did a little poking at it and it seems to be
> pretty similar to the old one. I can provide this to anyone who needs
> it but you should have a copy of it already. :-(

It's probably from someone with their system date set back before the 
Sobig.f cutoff. You can easily differentiate between Sobig versions by 
reading the PE timestamp field. Below you can find a short Perl script 
I wrote to automate the process of retrieving the PE timestamp from an 
executable. Not every compiler sets this field with the compile date, 
but the one the Sobig author uses does (VC++).

If your pif sample was not compiled on Sun Aug 17 12:54:53 2003 then you 
have a different variant.

-Joe


-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/


#!/usr/bin/perl

# read-pe-timestamp.pl 
# by Joe Stewart <jstewart@xxxxxxxxx>
# usage: ./read-pe-timestamp.pl <PE file>
# tested on Linux; Win32 users may need to add binmode()

use strict;

my $filename = $ARGV[0];
my $now = time;
my $old = 800000000;
die "Usage: $0 <PE file>\n" unless $filename;
open(IN, $filename) or die "Couldn't open $filename : $!\n";
for (0..255) {
        my $dword;
        read(IN, $dword, 4);
        next unless $dword eq "PE\x00\x00";
        read(IN, $dword, 4);
        read(IN, $dword, 4);
        my $t = unpack("N*", reverse($dword));
        my $time = localtime($t);
        print "$filename was compiled on $time\n";
        print "(Probably erroneous)\n" if ($t >= $now || $t <= $old);
        close IN;
        exit;
}
close IN;
print "Could not find PE header in $filename\.\n";