Hi Kenji, KLEZ scours the infected system for email addresse. It then chooses one at random to use as it's from address, thus forging the from and hiding it's origin. This makes it harder to tell who is infected and prolonging the time the infected host has to propogate the virus. http://www.symantec.com/avcenter/venc/data/w32.klez.h@private This technique is becoming more popular. It then sends itself out to the email addresses it found. You may be able to help the infected user (and yourself) by examining the full headers of one of the infected emails. The "Received from" lines show the path the mail took and the origin of the email. Send an email to abuse@[their domain] including the full headers to help them track it. Bummer huh? Scott --- "T. Kenji Sugahara" <sugahara@private> wrote: > Quick question for you folks about the Klez worm. > I'm wondering if any > of you have come across any instances where the Klez > worm has infected > Apple OS X machines. I've checked both NAI and SARC > and they both seem > to indicate that it is a windows only worm. (unless > there is a new > variant) I'm running OS X (root disabled of course) > with a > non-microsoft mail app and I've had a few e-mail > bounces returned to me > saying that they have quarantined documents that I > sent them. I have no > recollection of sending e-mails to these > individuals. I checked my sent > messages and ran a full updated NAV scan (sorry > Jimmy ;) ) both under > OS X and OS 9. Nothing. I know the worm has the > ability to spoof the > From: field, but I've had bounces to two different > e-mail addresses that > I have. Should I be worried or am I just paranoid? > > T. Kenji Sugahara > Chief Operating Officer > counterclaim > Phone: 541-484-9235 > Fax: 541-484-9193 > __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:02 PDT