RE: CRIME W32/Klez.H@mm question

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Tue Apr 23 2002 - 01:44:54 PDT

  • Next message: George Heuston: "No CRIME Meeting Today"

    Yes, Scott is correct.  The From line gets forged.  So, someone who has your
    email address somewhere has forged your address in his mail-out.
    
    Which indicates that a friend of yours is likely infected.
    
    (Sorry to be so slow in responding.  Am across the pond.)
    
    Jimmy
    
    -----Original Message-----
    From: nospam22@private [mailto:nospam22@private]
    Sent: Monday, April 22, 2002 6:02 PM
    To: T. Kenji Sugahara; 'crime@private '
    Subject: Re: CRIME W32/Klez.H@mm question
    
    
    Hi Kenji,
    
    KLEZ scours the infected system for email addresse. 
    It then chooses one at random to use as it's from
    address, thus forging the from and hiding it's origin.
     This makes it harder to tell who is infected and
    prolonging the time the infected host has to propogate
    the virus.
    
    http://www.symantec.com/avcenter/venc/data/w32.klez.h@private
    
    This technique is becoming more popular.
    
    It then sends itself out to the email addresses it
    found.
    
    You may be able to help the infected user (and
    yourself) by examining the full headers of one of the
    infected emails.  The "Received from" lines show the
    path the mail took and the origin of the email.  Send
    an email to abuse@[their domain] including the full
    headers to help them track it.
    
    Bummer huh?
    
    Scott
    
    --- "T. Kenji Sugahara" <sugahara@private>
    wrote:
    > Quick question for you folks about the Klez worm. 
    > I'm wondering if any 
    > of you have come across any instances where the Klez
    > worm has infected 
    > Apple OS X machines.  I've checked both NAI and SARC
    > and they both seem 
    > to indicate that it is a windows only worm.  (unless
    > there is a new 
    > variant)  I'm running OS X (root disabled of course)
    > with a 
    > non-microsoft mail app and I've had a few e-mail
    > bounces returned to me 
    > saying that they have quarantined documents that I
    > sent them.  I have no 
    > recollection of sending e-mails to these
    > individuals.  I checked my sent 
    > messages and ran a full updated NAV scan (sorry
    > Jimmy ;)  ) both under 
    > OS X and OS 9.  Nothing.  I know the worm has the
    > ability to spoof the 
    > From: field, but I've had bounces to two different
    > e-mail addresses that 
    > I have.  Should I be worried or am I just paranoid?
    > 
    > T. Kenji Sugahara
    > Chief Operating Officer
    > counterclaim
    > Phone:  541-484-9235
    > Fax:  541-484-9193
    > 
    
    
    __________________________________________________
    Do You Yahoo!?
    Yahoo! Games - play chess, backgammon, pool and more
    http://games.yahoo.com/
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:42:04 PDT