Source of Klez infection

[Airhead]

I've read enough about W32.Klez on some of the web sites to be generally familiar with it, but I'm wondering if anyone has found answers to the following:

Does a line in the full header of an infected message show the address of the source of the infected message? (For those newbies unfamiliar with this, I mean the "return path" source shown when you right click a message in the inbox and choose "options' in Outlook or "properties" in Outlook Express.) I know that the address in the "From" line of Klez-infected messages is normally either another address found on the infected machine or chosen from a list of random addresses.

It sure would be nice to know whose machine these are really coming from.

[DjM]

Is the "from" in the header record differant than the one that appears on the e-mail?

[souleman]

I haven't found a way to get the actual sender yet, but if I figure it out.....

[DjM]

Originally posted here by souleman
I haven't found a way to get the actual sender yet, but if I figure it out.....

In my shop, I have an e-mail gateway that intercepts the inbound e-mail and scans it before passing it along to my SMTP server(you might be able to do it at the sendmail server as well). I noticed that the "From" address on my Gateway is different than the "From" address after the e-mail has been cleaned and passes along to the user. I have asked the vendor about this and their response was "the address on the gateway, may or may not be the originator, it depends on how mangled the header record is after the virus get through with it.
What I have done is look for 'repeat addresses' on my gateway (people that seem to be sending us a lot of infected e-mails). When I identify one, I send them a polite note suggesting they may have a Virus. I point them to information on the virus, a page where they can perform an online scan and a link to a tool that will remove the virus. So far this seems to have worked(I have helped out about a half dozen people so far).

[Airhead]

Thanks for the replies. Yes, DjM, the ones I have received have had a different address in the "From" box than was shown as return-path in the full header. As it turns out, my friend, whose address was shown in the "return-path" on both messages, does have an infected machine. But she told me initially that she hadn't even turned her computer on the first day I got one of the infected messages. And the first message was totally different from the second. That led me to wonder at first if these messages had come from someone else we both knew who had both of our addresses in their address book.

Interesting, though, if it is a case that the full header can sometimes, but not always, identify the source of the infection. You'd think it would be an either/or situation.

[bucket]

For what it is worth, I recently received two Klez-infected emails. The From portions of the headers were different, but the ReturnPath of both were the same. Does this indicate that the same infected PC was the source of both?
From: [email protected]
Ret: [email protected]
From: [email protected]
Ret: [email protected]
In this example, could TyphoidMary be the address of the infected PC?

BTW, on both emails, the From portion of the header is the same as the From portion of the email interface.

[Airhead]

Bucket - I'd certainly contact TyphoidMary and let her know her computer mightbe infected with the worm. But from what DjM says, it sounds as though it is possible that that might not be the source, too. So I'd include a link to some of the AV literature which shows how the worm can spoof addresses, so if her AV scan comes up clean she won't panic.

BTW Bucket, we have something in common. I'll update my profile.

[zigar]

I'm pretty sure you can

this was theheader i received a couple of days ago....

Received: from Lfgf (ACA932A8.ipt.aol.com [172.169.50.168])
by smtp.gotnet.net (8.11.6/8.11.6) with SMTP id g3L3ESK25611
for <[email protected]>; Sat, 20 Apr 2002 20:14:28 -0700

the visible sender was

billboards <[email protected]>

but it was the aol address that sent it

[bucket]

The potential carrier is [email protected] . To find out who/what this person is, I need a certain online database that is now offline-dead.

It seems to be too much of a coincidence that his/her email address appeared as the return path of 2 virus infected emails.
While I have read that Klez spoofs the From portion of an email address, I havven't read anything about a spoofed return path.

I did send a warning Hotmail to the twlakes.net address. Hope that it does some good.

[Maverick811]

I'm like you guys, I haven't been able to determine the true source of the email and I'm not sure if it is possible. I've been so busy with some other hardware installs and setups that I haven't had time to investigate Klez too deeply. However, I had to clean some machines that got infected with that damn virus the other day.