Security Basics mailing list archives
Re: Can anybody explain this Klez Variant?
From: Dan Donkers <donks () kent net>
Date: Fri, 7 Feb 2003 19:02:52 -0500 (EST)
On Thu, 6 Feb 2003, Drexcia ==== wrote:
Hi Guys, A friend of mine received this message supposedly from me in his hotmail account. Names/Email addresses have been changed but you'll get the idea <snip>From : my_name <my_name () excite com au>To : myfriend () hotmail com Subject : A good tool Date : Mon, 6 Jan 2003 02:36:46 -0600 MIME-Version: 1.0 Received: from out009.verizon.net ([206.46.170.131]) by
^^^^^^^^^^^^^^^ This ip address is where the virus came from. Hotmail has documented in these headers who it received the message from. It resolves to address spaced owned by someone in Woburg, MA. The next "Received:" header is either a relay or forged. More than likely, the sender has both of you in their address book, with your address being the old one at excite. There are klez variants that take addresses from the address book and use them for from/to addresses. HTH, Dan
mc1-f5.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 6 Jan 2003 00:36:47 -0800 Received: from Idxgvfqiv ([198.142.240.35]) by out009.verizon.net (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP id <20030106083621.IPQL7162.out009.verizon.net@Idxgvfqiv> for <myfriend () hotmail com>; Mon, 6 Jan 2003 02:36:21 -0600
********************************* * Registered Linux user: 244008 * "Free speech is the right to yell * * 'theater' in a crowded fire" * Powered by Slackware 8.0 * *********************************
Current thread:
- Can anybody explain this Klez Variant? Drexcia ==== (Feb 06)
- Re: Can anybody explain this Klez Variant? Dan Donkers (Feb 10)
- <Possible follow-ups>
- RE: Can anybody explain this Klez Variant? Anders Reed Mohn (Feb 07)
- Re: Can anybody explain this Klez Variant? it_hjw (Feb 07)