RE: CRIME W32/Klez.H@mm question

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Tue Apr 23 2002 - 01:44:54 PDT

Next message: George Heuston: "No CRIME Meeting Today"

Previous message: nospam22@private: "Re: CRIME W32/Klez.H@mm question"
Maybe in reply to: T. Kenji Sugahara: "CRIME W32/Klez.H@mm question"
Next in thread: T. Kenji Sugahara: "Re: CRIME W32/Klez.H@mm question"
Reply: T. Kenji Sugahara: "Re: CRIME W32/Klez.H@mm question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, Scott is correct.  The From line gets forged.  So, someone who has your
email address somewhere has forged your address in his mail-out.

Which indicates that a friend of yours is likely infected.

(Sorry to be so slow in responding.  Am across the pond.)

Jimmy

-----Original Message-----
From: nospam22@private [mailto:nospam22@private]
Sent: Monday, April 22, 2002 6:02 PM
To: T. Kenji Sugahara; 'crime@private '
Subject: Re: CRIME W32/Klez.H@mm question

Hi Kenji,

KLEZ scours the infected system for email addresse. 
It then chooses one at random to use as it's from
address, thus forging the from and hiding it's origin.
 This makes it harder to tell who is infected and
prolonging the time the infected host has to propogate
the virus.

http://www.symantec.com/avcenter/venc/data/w32.klez.h@private

This technique is becoming more popular.

It then sends itself out to the email addresses it
found.

You may be able to help the infected user (and
yourself) by examining the full headers of one of the
infected emails.  The "Received from" lines show the
path the mail took and the origin of the email.  Send
an email to abuse@[their domain] including the full
headers to help them track it.

Bummer huh?

Scott

--- "T. Kenji Sugahara" <sugahara@private>
wrote:
> Quick question for you folks about the Klez worm. 
> I'm wondering if any 
> of you have come across any instances where the Klez
> worm has infected 
> Apple OS X machines.  I've checked both NAI and SARC
> and they both seem 
> to indicate that it is a windows only worm.  (unless
> there is a new 
> variant)  I'm running OS X (root disabled of course)
> with a 
> non-microsoft mail app and I've had a few e-mail
> bounces returned to me 
> saying that they have quarantined documents that I
> sent them.  I have no 
> recollection of sending e-mails to these
> individuals.  I checked my sent 
> messages and ran a full updated NAV scan (sorry
> Jimmy ;)  ) both under 
> OS X and OS 9.  Nothing.  I know the worm has the
> ability to spoof the 
> From: field, but I've had bounces to two different
> e-mail addresses that 
> I have.  Should I be worried or am I just paranoid?
> 
> T. Kenji Sugahara
> Chief Operating Officer
> counterclaim
> Phone:  541-484-9235
> Fax:  541-484-9193
> 

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/

Next message: George Heuston: "No CRIME Meeting Today"
Previous message: nospam22@private: "Re: CRIME W32/Klez.H@mm question"
Maybe in reply to: T. Kenji Sugahara: "CRIME W32/Klez.H@mm question"
Next in thread: T. Kenji Sugahara: "Re: CRIME W32/Klez.H@mm question"
Reply: T. Kenji Sugahara: "Re: CRIME W32/Klez.H@mm question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:04 PDT