[wplug] A virus among us?

Henry Umansky hmust2+ at pitt.edu
Mon Sep 16 13:59:10 EDT 2002 

I need to correct my previous email.  One of my co-workers mention that 
some viruses have their own built in SMTP program so they do not need to 
really on your own personal email client.  But the bottom received line is 
usually accurate.

--On Monday, September 16, 2002 11:49 AM -0400 Henry Umansky 
<hmust2+ at pitt.edu> wrote:r

> If you view the full headers and look at the very last "Received:" line
> that is from the originating sender.  However, that line can be spoofed
> but it is usually accurate for the most part because the Klez virus
> depends on the default mailto clients and most email clients will not let
> the user interact with the SMTP server directly.  Interacting directly
> with the SMTP server is the only way to spoof the bottom Received line.
> Email me if you would like more help in figuring out the origin of the
> virus.
>
> --On Monday, September 16, 2002 11:23 AM -0400 "Phil Walther, Jr."
> <philjr at attglobal.net> wrote:r
>
>> If you view the Return-Path (not the reply to) part of the header, you
>> will see where it came from.  I receive about 5-10 KLEZ infected mails
>> every day. When I receive these, I forward an advisory with the original
>> header as part of the e-mail to the return path sender and cc abuse and
>> postmaster at the originating domain.
>>
>> Since I have to use M$ Outlook (well don't have to), I use a virus
>> scanner that has the outlook plugins and does incoming scans of files,
>> web elements, etc.  For Win systems, Norton and McAfee are tops, and
>> there are a few other lesser know ones that do just as good a job.
>> McAfee has a nice option called HAWK, where it'll flag you if multiple
>> mails are "spamming" out your mail client.
>>
>> -----Original Message-----
>> From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org]On Behalf Of
>> Mark Dalrymple
>> Sent: Monday, September 16, 2002 11:01 AM
>> To: wplug at wplug.org
>> Subject: Re: [wplug] A virus amoung us?
>>
>>
>>> The latest
>>> one, received on Saturday, had "cellspacing" as the subject line and was
>>> returned to me from markd at badgertronics.com.
>>
>> Remember that the klez viruses use random from and to addresses, and that
>> it scrapes them from the browser cache in addition to the address books.
>> I am markd at badgertronics.com, and I have zero (none, zip, nada) windows
>> systems, so it could not come from me.
>>
>>
>> If ya have any questions or concerns, feel free to drop me a line
>> directly (or hang out in #wplug)
>>
>> Cheers,
>> ++Mark Dalrymple, markd at badgertronics.com.  http://badgertronics.com
>>   "If a Trinitron monitor can make Windows look somewhat elegant
>>    then I say that is ONE HELL OF A MONITOR." -- Michael O'Neil
>> _______________________________________________
>> wplug mailing list
>> wplug at wplug.org
>> http://www.wplug.org/mailman/listinfo/wplug
>>
>> _______________________________________________
>> wplug mailing list
>> wplug at wplug.org
>> http://www.wplug.org/mailman/listinfo/wplug
>
>
>
> Henry Umansky
> University of Pittsburgh
> Systems/Programmer III
> www.pitt.edu/~hmust2
> hmust2 at pitt.edu
> (412)624-4357
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug



Henry Umansky
University of Pittsburgh
Systems/Programmer III
www.pitt.edu/~hmust2
hmust2 at pitt.edu
(412)624-4357

More information about the wplug mailing list