Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Source of Klez infection

  1. May 2nd, 2002, 05:35 AM #11
    Airhead
    Airhead is offline
    AntiOnline Newbie
    Join Date
    Apr 2002
    Posts
    91
    Oh, boy, this may get interesting! I just received another Klez infected message. And if the sender is the one listed in the return path of the header, it is the secretary of a large group to which I belong. That would mean infected messages went out to everyone in the group. These are mostly middle age and elderly ladies, many who just don't pay much attention to such things as antivirus protection. I'll bet they will be more educated after this!

    I called the group secretary, and she already has a friend over there looking at her computer, thinking she might have a virus. So again it really does sound like the return path address might be correct.
    Reply With Quote Reply With Quote
  2. May 2nd, 2002, 08:10 AM #12
    dcongram
    dcongram is offline
    Senior Member
    Join Date
    Aug 2001
    Posts
    267
    Reading the headers can give you a clue as to its origin. I took the IP address, traced it back and it belonged to a client. A quick phone call, and they started scanning PC's. They found one with over 200 infected files, and unplugged it from the network then started cleaning.
    Reply With Quote Reply With Quote
  3. May 2nd, 2002, 04:13 PM #13
    bucket
    bucket is offline
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    I just called the individual in the Return path, bemyers. He told me that his computer was infected with a virus, but that he "fixed it" yesterday afternoon.
    Looks like the Return Path theory is correct.
    Reply With Quote Reply With Quote
  4. May 2nd, 2002, 06:06 PM #14
    IchNiSan
    IchNiSan is offline
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    HMM..., I have been dealing with one version of klez in which the "return path" is not the person with an infected machine. We have a fairly reliable AV setup, which scans all inbound messages, among other things...

    One of our users was recieving lots of undeliverable messages from postmaster at many different domains having to do with klez, after checking into it, I found that

    1. Our users email address was in the return path of the original message
    2. Many different addresses were in the "From" address.
    3. There was an IP address listed in the header, which was not related to us in any way. I went to the ISP to whom the IP was registered, and they confirmed that the entity which used that IP address did indeed have a problem and that we were not the only was to complain, and that it was being cleaned up.
    4. None of our users were infected.

    It seems that at least one version of klez also modifies the return path.

    Either that, or this is evidence that someone related to the offending IP address may have been attempting to access our users mail without authorization, or send mail from our user fro some purpose, never removed the settings, and klez grabbed them.

    I do however know without question that the user in question was never infected by klez, on any machine which he uses.

    I do know of some people who have been initially infected by klez from opening attachments in messages returned to them as undeliverable(which they didnt send out in the first place) because they were in the return path. Not at my organization, but some friends have had this happen.

    Also possible is that klez may send out messages claiming to be postmaster bounce messages from your own domain.

    check this link.

    http://[email protected]

    If someone whose address is in the return path is infected it may well be that they are not the source of the messages that you are recieving, but are infected as a secondary effect of someone elses infection.

    IchNiSan
    Reply With Quote Reply With Quote
  6. May 2nd, 2002, 11:37 PM #15
    bucket
    bucket is offline
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    Could the ReturnPath theory work on Klez.G/H and fail on Klez.E ?
    Reply With Quote Reply With Quote
  7. May 2nd, 2002, 11:49 PM #16
    IchNiSan
    IchNiSan is offline
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    It could very possibly work on some, and not on others, I havent taken the time to study it fully, as I am mainly interested in making sure we dont get it, but there are lots of different behaviors that seem to pop up.

    As I said, it is also possible that you are right about the return path, and what I am seeing is evidence that someone was trying to mess with one of our users mail, and never changed their settings back, then got infected. Or, stole a computer which this user had used before.. etc.. etc.. myriad other possibilities here..

    I cant say for sure now. Not getting as much info out of the ISP as I would like about the source ip I found, and what the exact deal is with them. I understand why, but it is frustrating to say the least.

    Maybe I will take the time to study it some.
    Reply With Quote Reply With Quote
  8. May 3rd, 2002, 09:46 AM #17
    bucket
    bucket is offline
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    HeyIchNiSan:
    Zigar pointed out that Klez has been found to be infected with W95.CIH.1049. See:

    http://sarc.com/avcenter/venc/data/w95.cih.1049.html

    Someone must solve this problem before August 2nd, the trigger date for that version of CIH.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules