[wplug] A virus among us?

Henry Umansky hmust2+ at pitt.edu
Mon Sep 16 11:49:13 EDT 2002


If you view the full headers and look at the very last "Received:" line 
that is from the originating sender.  However, that line can be spoofed but 
it is usually accurate for the most part because the Klez virus depends on 
the default mailto clients and most email clients will not let the user 
interact with the SMTP server directly.  Interacting directly with the SMTP 
server is the only way to spoof the bottom Received line.  Email me if you 
would like more help in figuring out the origin of the virus.

--On Monday, September 16, 2002 11:23 AM -0400 "Phil Walther, Jr." 
<philjr at attglobal.net> wrote:r

> If you view the Return-Path (not the reply to) part of the header, you
> will see where it came from.  I receive about 5-10 KLEZ infected mails
> every day. When I receive these, I forward an advisory with the original
> header as part of the e-mail to the return path sender and cc abuse and
> postmaster at the originating domain.
>
> Since I have to use M$ Outlook (well don't have to), I use a virus scanner
> that has the outlook plugins and does incoming scans of files, web
> elements, etc.  For Win systems, Norton and McAfee are tops, and there
> are a few other lesser know ones that do just as good a job.  McAfee has
> a nice option called HAWK, where it'll flag you if multiple mails are
> "spamming" out your mail client.
>
> -----Original Message-----
> From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org]On Behalf Of
> Mark Dalrymple
> Sent: Monday, September 16, 2002 11:01 AM
> To: wplug at wplug.org
> Subject: Re: [wplug] A virus amoung us?
>
>
>> The latest
>> one, received on Saturday, had "cellspacing" as the subject line and was
>> returned to me from markd at badgertronics.com.
>
> Remember that the klez viruses use random from and to addresses, and that
> it scrapes them from the browser cache in addition to the address books.
> I am markd at badgertronics.com, and I have zero (none, zip, nada) windows
> systems, so it could not come from me.
>
>
> If ya have any questions or concerns, feel free to drop me a line
> directly (or hang out in #wplug)
>
> Cheers,
> ++Mark Dalrymple, markd at badgertronics.com.  http://badgertronics.com
>   "If a Trinitron monitor can make Windows look somewhat elegant
>    then I say that is ONE HELL OF A MONITOR." -- Michael O'Neil
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug



Henry Umansky
University of Pittsburgh
Systems/Programmer III
www.pitt.edu/~hmust2
hmust2 at pitt.edu
(412)624-4357




More information about the wplug mailing list