Source of Klez infection
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Source of Klez infection

  1. #1
    AntiOnline Newbie
    Join Date
    Apr 2002
    Posts
    91

    Source of Klez infection

    I've read enough about W32.Klez on some of the web sites to be generally familiar with it, but I'm wondering if anyone has found answers to the following:

    Does a line in the full header of an infected message show the address of the source of the infected message? (For those newbies unfamiliar with this, I mean the "return path" source shown when you right click a message in the inbox and choose "options' in Outlook or "properties" in Outlook Express.) I know that the address in the "From" line of Klez-infected messages is normally either another address found on the infected machine or chosen from a list of random addresses.

    It sure would be nice to know whose machine these are really coming from.

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Is the "from" in the header record differant than the one that appears on the e-mail?
    DjM

  3. #3
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    I haven't found a way to get the actual sender yet, but if I figure it out.....
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by souleman
    I haven't found a way to get the actual sender yet, but if I figure it out.....
    In my shop, I have an e-mail gateway that intercepts the inbound e-mail and scans it before passing it along to my SMTP server(you might be able to do it at the sendmail server as well). I noticed that the "From" address on my Gateway is different than the "From" address after the e-mail has been cleaned and passes along to the user. I have asked the vendor about this and their response was "the address on the gateway, may or may not be the originator, it depends on how mangled the header record is after the virus get through with it.
    What I have done is look for 'repeat addresses' on my gateway (people that seem to be sending us a lot of infected e-mails). When I identify one, I send them a polite note suggesting they may have a Virus. I point them to information on the virus, a page where they can perform an online scan and a link to a tool that will remove the virus. So far this seems to have worked(I have helped out about a half dozen people so far).
    DjM

  5. #5
    AntiOnline Newbie
    Join Date
    Apr 2002
    Posts
    91
    Thanks for the replies. Yes, DjM, the ones I have received have had a different address in the "From" box than was shown as return-path in the full header. As it turns out, my friend, whose address was shown in the "return-path" on both messages, does have an infected machine. But she told me initially that she hadn't even turned her computer on the first day I got one of the infected messages. And the first message was totally different from the second. That led me to wonder at first if these messages had come from someone else we both knew who had both of our addresses in their address book.

    Interesting, though, if it is a case that the full header can sometimes, but not always, identify the source of the infection. You'd think it would be an either/or situation.

  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    For what it is worth, I recently received two Klez-infected emails. The From portions of the headers were different, but the ReturnPath of both were the same. Does this indicate that the same infected PC was the source of both?
    From: lamer@aol.com
    Ret: TyphoidMary@nlug.org
    From: zippo@comcast.net
    Ret: TyphoidMary@nlug.org
    In this example, could TyphoidMary be the address of the infected PC?

    BTW, on both emails, the From portion of the header is the same as the From portion of the email interface.

  7. #7
    AntiOnline Newbie
    Join Date
    Apr 2002
    Posts
    91
    Bucket - I'd certainly contact TyphoidMary and let her know her computer mightbe infected with the worm. But from what DjM says, it sounds as though it is possible that that might not be the source, too. So I'd include a link to some of the AV literature which shows how the worm can spoof addresses, so if her AV scan comes up clean she won't panic.

    BTW Bucket, we have something in common. I'll update my profile.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    I'm pretty sure you can

    this was theheader i received a couple of days ago....

    Received: from Lfgf (ACA932A8.ipt.aol.com [172.169.50.168])
    by smtp.gotnet.net (8.11.6/8.11.6) with SMTP id g3L3ESK25611
    for <webmaster@mydomain.com>; Sat, 20 Apr 2002 20:14:28 -0700
    the visible sender was

    billboards <billboards@mindspring.com>
    but it was the aol address that sent it
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    The potential carrier is bemyers@twlakes.net . To find out who/what this person is, I need a certain online database that is now offline-dead.

    It seems to be too much of a coincidence that his/her email address appeared as the return path of 2 virus infected emails.
    While I have read that Klez spoofs the From portion of an email address, I havven't read anything about a spoofed return path.

    I did send a warning Hotmail to the twlakes.net address. Hope that it does some good.

  10. #10
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    I'm like you guys, I haven't been able to determine the true source of the email and I'm not sure if it is possible. I've been so busy with some other hardware installs and setups that I haven't had time to investigate Klez too deeply. However, I had to clean some machines that got infected with that damn virus the other day.
    - Maverick

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •