Re: Can anybody explain this Klez Variant?

[Dan Donkers <donks () kent net>]

On Thu, 6 Feb 2003, Drexcia ==== wrote:

> Hi Guys,
>
> A friend of mine received this message supposedly from me in his hotmail
> account. Names/Email addresses have been changed but you'll get the idea
>
> <snip>
>
> > From :    my_name <my_name () excite com au>
> To :      myfriend () hotmail com
> Subject : A good tool
>
> Date :    Mon, 6 Jan 2003 02:36:46 -0600
>
>    MIME-Version: 1.0
> Received: from out009.verizon.net ([206.46.170.131]) by

                                      ^^^^^^^^^^^^^^^
This ip address is where the virus came from. Hotmail has documented in
these headers who it received the message from. It resolves to address
spaced owned by someone in Woburg, MA. The next "Received:" header is
either a relay or forged.

More than likely, the sender has both of you in their address book, with
your address being the old one at excite. There are klez variants that
take addresses from the address book and use them for from/to addresses.

HTH,
Dan

> mc1-f5.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 6 Jan
> 2003 00:36:47 -0800
> Received: from Idxgvfqiv ([198.142.240.35]) by out009.verizon.net (InterMail
> vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP id
> <20030106083621.IPQL7162.out009.verizon.net@Idxgvfqiv> for
> <myfriend () hotmail com>; Mon, 6 Jan 2003 02:36:21 -0600


*********************************
* Registered Linux user: 244008 *       "Free speech is the right to yell
*                               *       'theater' in a crowded fire"
*   Powered by Slackware 8.0    *
*********************************