[ale] Klez virus

James P. Kinney III jkinney at localnetsolutions.com
Mon Mar 31 13:28:46 EST 2003


The closest apparent "sender" is
c-c-24-98-68-66.atl.client2.attbi.com24-98-68-66.atl.client2.attbi.com

which is a dhcp-named machine.

And yes, anyone using a "learnlink.emory.edu" address would not have a
clue as to how the spoof source addresses in email :)

On Mon, 2003-03-31 at 11:42, Sean Kilpatrick wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I am not very good at decyphering header data.
> Can anyone tell me where this little goodie
> _might_ have come from?
> Obviously enough, the attachments have not been
> made part of this message.  I say that with
> the near certainty that the attachments are,
> indeed, the virus.
> 
> Sean
> 
> PS the "From:" line is obviously spoofed as that
> individual wouldn't have a clue about creating
> a anti-virus virus.
> - ------------------- <copied material follows> -----------------
> 
> Status: R 
> Return-Path: <dwender1 at comcast.net>
> Received: from smtp.comcast.net ([24.153.64.109])
>         by wanamaker.mail.atl.earthlink.net (Earthlink Mail Service) with 
> SMTP id 18ZTmn77U3Nl3oJ0
>         for <kilpatms at mindspring.com>; Mon, 31 Mar 2003 02:05:35 -0500 (EST)
> Received: from Zjqulo (c-24-98-68-66.atl.client2.attbi.com [24.98.68.66])
>  by mtaout11.icomcast.net
>  (iPlanet Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003))
>  with SMTP id <0HCL00AKJQAD5J at mtaout11.icomcast.net> for
>  kilpatms at mindspring.com; Mon, 31 Mar 2003 02:03:52 -0500 (EST)
> Date: Mon, 31 Mar 2003 02:03:49 -0500 (EST)
> Date-warning: Date header was inserted by mtaout11.icomcast.net
> From: rschult <rschult at LearnLink.Emory.Edu>
> Subject: Worm Klez.E immunity
> To: kilpatms at mindspring.com
> Message-id: <0HCL00AKKQAD5J at mtaout11.icomcast.net>
> MIME-version: 1.0
> Content-type: multipart/alternative;
>   boundary="Boundary_(ID_yI3GAkUX7+ZkfJF9/2Lgew)"
> X-Status: N
> 
> 
> <HTML><HEAD></HEAD><BODY>
> 
> <FONT>Klez.E is the most common world-wide spreading worm.It's very 
> dangerous by corrupting your files.<br>
> Because of its very smart stealth and anti-anti-virus technic,most common AV 
> software can't detect or clean it.<br>
> We developed this free immunity tool to defeat the malicious virus.<br>
> You only need to run this tool once,and then Klez will never come into your 
> PC.<br>
> NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV 
> monitor maybe cry when you run it.<br>
> If so,Ignore the warning,and select 'continue'.<br>
> If you have any question,please <a 
> href=mailto:rschult at LearnLink.Emory.Edu>mail to 
> me</a>.</FONT></BODY></HTML>
> 
> - ----------------------- <end copied material> ------------------------------
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> 
> iD8DBQE+iG/h73hVp4UeGJERAv/VAKDHCkYVt2S+Mbg7C81pxtSUGPSOUwCeO7RZ
> Tod/k9S90/2v4uNvNs2KbLg=
> =6PJY
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 

 This is a digitally signed message part




More information about the Ale mailing list