Re: CRIME W32/Klez.H@mm question

From: nospam22@private
Date: Mon Apr 22 2002 - 18:02:04 PDT

  • Next message: Kuo, Jimmy: "RE: CRIME W32/Klez.H@mm question"

    Hi Kenji,
    
    KLEZ scours the infected system for email addresse. 
    It then chooses one at random to use as it's from
    address, thus forging the from and hiding it's origin.
     This makes it harder to tell who is infected and
    prolonging the time the infected host has to propogate
    the virus.
    
    http://www.symantec.com/avcenter/venc/data/w32.klez.h@private
    
    This technique is becoming more popular.
    
    It then sends itself out to the email addresses it
    found.
    
    You may be able to help the infected user (and
    yourself) by examining the full headers of one of the
    infected emails.  The "Received from" lines show the
    path the mail took and the origin of the email.  Send
    an email to abuse@[their domain] including the full
    headers to help them track it.
    
    Bummer huh?
    
    Scott
    
    --- "T. Kenji Sugahara" <sugahara@private>
    wrote:
    > Quick question for you folks about the Klez worm. 
    > I'm wondering if any 
    > of you have come across any instances where the Klez
    > worm has infected 
    > Apple OS X machines.  I've checked both NAI and SARC
    > and they both seem 
    > to indicate that it is a windows only worm.  (unless
    > there is a new 
    > variant)  I'm running OS X (root disabled of course)
    > with a 
    > non-microsoft mail app and I've had a few e-mail
    > bounces returned to me 
    > saying that they have quarantined documents that I
    > sent them.  I have no 
    > recollection of sending e-mails to these
    > individuals.  I checked my sent 
    > messages and ran a full updated NAV scan (sorry
    > Jimmy ;)  ) both under 
    > OS X and OS 9.  Nothing.  I know the worm has the
    > ability to spoof the 
    > From: field, but I've had bounces to two different
    > e-mail addresses that 
    > I have.  Should I be worried or am I just paranoid?
    > 
    > T. Kenji Sugahara
    > Chief Operating Officer
    > counterclaim
    > Phone:  541-484-9235
    > Fax:  541-484-9193
    > 
    
    
    __________________________________________________
    Do You Yahoo!?
    Yahoo! Games - play chess, backgammon, pool and more
    http://games.yahoo.com/
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:02 PDT