[wplug] A virus among us?

[Weber, Larry A]

Thanks for your help.  Hopefully I have located the correct source and I
have notified their ISP.

> -----Original Message-----
> From:	Henry Umansky [SMTP:hmust2+ at pitt.edu]
> Sent:	Monday, September 16, 2002 1:59 PM
> To:	wplug at wplug.org
> Subject:	RE: [wplug] A virus among us?
> 
> I need to correct my previous email.  One of my co-workers mention that 
> some viruses have their own built in SMTP program so they do not need to 
> really on your own personal email client.  But the bottom received line is
> 
> usually accurate.
> 
> --On Monday, September 16, 2002 11:49 AM -0400 Henry Umansky 
> <hmust2+ at pitt.edu> wrote:r
> 
> > If you view the full headers and look at the very last "Received:" line
> > that is from the originating sender.  However, that line can be spoofed
> > but it is usually accurate for the most part because the Klez virus
> > depends on the default mailto clients and most email clients will not
> let
> > the user interact with the SMTP server directly.  Interacting directly
> > with the SMTP server is the only way to spoof the bottom Received line.
> > Email me if you would like more help in figuring out the origin of the
> > virus.
> >
> > --On Monday, September 16, 2002 11:23 AM -0400 "Phil Walther, Jr."
> > <philjr at attglobal.net> wrote:r
> >
> >> If you view the Return-Path (not the reply to) part of the header, you
> >> will see where it came from.  I receive about 5-10 KLEZ infected mails
> >> every day. When I receive these, I forward an advisory with the
> original
> >> header as part of the e-mail to the return path sender and cc abuse and
> >> postmaster at the originating domain.
> >>
> >> Since I have to use M$ Outlook (well don't have to), I use a virus
> >> scanner that has the outlook plugins and does incoming scans of files,
> >> web elements, etc.  For Win systems, Norton and McAfee are tops, and
> >> there are a few other lesser know ones that do just as good a job.
> >> McAfee has a nice option called HAWK, where it'll flag you if multiple
> >> mails are "spamming" out your mail client.
> >>
> >> -----Original Message-----
> >> From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org]On Behalf Of
> >> Mark Dalrymple
> >> Sent: Monday, September 16, 2002 11:01 AM
> >> To: wplug at wplug.org
> >> Subject: Re: [wplug] A virus amoung us?
> >>
> >>
> >>> The latest
> >>> one, received on Saturday, had "cellspacing" as the subject line and
> was
> >>> returned to me from markd at badgertronics.com.
> >>
> >> Remember that the klez viruses use random from and to addresses, and
> that
> >> it scrapes them from the browser cache in addition to the address
> books.
> >> I am markd at badgertronics.com, and I have zero (none, zip, nada) windows
> >> systems, so it could not come from me.
> >>
> >>
> >> If ya have any questions or concerns, feel free to drop me a line
> >> directly (or hang out in #wplug)
> >>
> >> Cheers,
> >> ++Mark Dalrymple, markd at badgertronics.com.  http://badgertronics.com
> >>   "If a Trinitron monitor can make Windows look somewhat elegant
> >>    then I say that is ONE HELL OF A MONITOR." -- Michael O'Neil
> >> _______________________________________________
> >> wplug mailing list
> >> wplug at wplug.org
> >> http://www.wplug.org/mailman/listinfo/wplug
> >>
> >> _______________________________________________
> >> wplug mailing list
> >> wplug at wplug.org
> >> http://www.wplug.org/mailman/listinfo/wplug
> >
> >
> >
> > Henry Umansky
> > University of Pittsburgh
> > Systems/Programmer III
> > www.pitt.edu/~hmust2
> > hmust2 at pitt.edu
> > (412)624-4357
> >
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> 
> 
> 
> Henry Umansky
> University of Pittsburgh
> Systems/Programmer III
> www.pitt.edu/~hmust2
> hmust2 at pitt.edu
> (412)624-4357
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug