Virus or what?

Fri, 22 Nov 2002 08:24:47 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In my shop it has been my experience that klez infections can be tracked =
back=20
to the person who is sending it out. My shop machine was getting hit abou=
t 30=20
times a day. Viewing the <return-path> in the headers always showed the s=
ame=20
name, but the From: was different everytime.
Then it all stopped. For a few days we didn't get hit, and assumed the ma=
chine=20
had been cleaned.=20
That day, while working on a computer with a klez infection, I found that=
 the=20
reply to: in his outlook setup was the same as the return-path in the mai=
ls I=20
was getting. We had called the ISP but they had ne record of that email=20
address, because it had been misspelled and he wasn't recieving replys fr=
om=20
people, which was the reason the machine was in.

I kept track of other return-paths in messages and found all but a couple=
 were=20
traceable and we got rid of them. A couple more must have been miss spell=
ed=20
again.

<snip clipping from source of this message>
Return-Path: <plug-discuss-admin@lists.plug.phoenix.az.us>
Received: from localhost (localhost [127.0.0.1])
=09by fallout.the-arcanum.org (8.12.4/8.12.4) with ESMTP id
</snip>

The message I am replying to is from Victor Odhner, but the return path i=
s=20
plug-discuss-admin@lists.plug.phoenix.az.us

So far its worked for me. And klez seems to be on the rise again.
Atleast in Payson.

nathan

On Thursday 21 November 2002 23:22, Victor Odhner wrote:
> Hi, Cliff.
>
> cliff rogers wrote:
>  > The virus software on InterLogic Graphics & Marketing's (ILGM),
>  > the server that manages mail for xxx@xxx.xxx <mailto:xxx@xxx.xxx>
>  > has reported that you sent an e-mail to
>  > xxx@xxx.xxx <mailto:xxx@xxx.xxx>, containing the :
>  > W32/Klez.H@mm virus in the PCT.exe attachment.  The subject of
>  > the E-mail was "A very  funny website".
>
> The Klez work looks in the address books of machines it
> has invaded, and randomly selects addresses to use as
> the "From" address of the messages it sends out.  This
> is done randomly, and it also varies the subject lines.
> So all you can know is that SOMEBODY who had you in their
> address book got hit by the Klez worm.
>
> Klez exploits a bug in IE5 whose fix has been available
> for a long time.  Of course Klez can't infect a Linux box.
>
> In fact, I don't think it can hit you if you avoid using
> IE5 for browsing and are not using Microsoft mail clients
> (since these use IE if they receive an HTML e-mail
> message).
>
> I have gotten a million Klez messages on the Linux system
> where I have one of my e-mail accounts, and of course
> these worms are just data outside the Windows world.
> I think Cox.net must be filtering out Klez messages
> directed to the address I'm using for mailing lists,
> since I haven't seen any on this account (which I read
> with Mozilla on Win98).
>
> Vic
>
> http://members.cox.net/vodhner/
>    -- or --
> http://www.newearth.org/~victor/resume.html
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

- --=20
Nathan England

plug  at the-arcanum.org
jabber id: linuxjunkie@jabber.earth.li

"A free society is one where it is safe to be unpopular."
- --Adlai Stevenson

- -----------------------------------------------------------------

Registered Linux User #189789, Machine #106603
www.sincerechoice.org

Spam related material will be forwarded to:
uce@ftc.gov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE93kxCQ7yNnsYcupwRAnDRAKCUNC5WLZhdRVIc0ZFGnY0b+TPajwCgpYAQ
EPQJCvYr+tcmc71gR+R/wqM=3D
=3DUbWm
-----END PGP SIGNATURE-----