|
Now I'm getting viruses from "Wayne"...WTF?!
Somebody is not running their virus software! I got the following bogus email masquerading itself as Wayne. Y'all watch out . . .
Return-Path: -wayne@pelicanparts.com> Received: from rly-ip01.mx.aol.com ([205.188.156.49]) by wanamaker.mail.atl.earthlink.net (Earthlink Mail Service) with ESMTP id 17IJ1K5gd3Nl3oJ0 for -dtwinters@mindspring.com-; Sat, 24 Aug 2002 18:05:04 -0400 (EDT) Received: from logs-mtc-te.proxy.aol.com (logs-mtc-te.proxy.aol.com [64.12.103.135]) by rly-ip01.mx.aol.com (v83.35) with ESMTP id RELAYIN2-0824180412; Sat, 24 Aug 2002 18:04:12 -0400 Received: from Ozb (ACAB9B89.ipt.aol.com [172.171.155.137]) by logs-mtc-te.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7OM1lD102723 for <dtwinters@mindspring.com>; Sat, 24 Aug 2002 18:01:47 -0400 (EDT) Date: Sat, 24 Aug 2002 18:01:47 -0400 (EDT) Message-Id: <200208242201.g7OM1lD102723@logs-mtc-te.proxy.aol.com> From: wayne -wayne@pelicanparts.com- To: dtwinters@mindspring.com Subject: Risk is 100% yours. |
How do you put a scroll box in a post? That is so cool! Don't know what I'd do with it though.
Wayne's next book - 101 Ways to Kill Viruses |
Thank gawd for Mcafee...well worth the money spent! :) The bad krap comes calling, and my computer says: "I hear you knocking, but you KAN"T come in...." (apologies to Richard Penniman)...
|
Quote:
Cheers, |
Quote:
|
Quote:
|
Just about everyone I've rcvd was masquerading itself with Waynes addresses. It's as if someone was trying hard to make Wayne look like the bad-guy .. .
|
Anyone else?
"spoofing." is the worm randomly selecting an address that it finds on an infected computer.
Yet I exclusively get this klez-crap, said to be coming from "Wayne" and only Wayne! Any ideas on what's going on? Return-Path: wayne@verizon.net> Received: from out016.verizon.net ([206.46.170.92]) by sccrgwc04.attbi.com (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id <20021107165221.UYHI9342.sccrgwc04.attbi.com@out01 6.verizon.net> for <island911. . .. Received: from Fru ([204.201.135.175]) by out016.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP id <20021107165146.UEYO3088.out016.verizon.net@Fru> for <island911@. . .>; Thu, 7 Nov 2002 10:51:46 -0600 From: wayne -wayne@pelicanparts.com> To: island911@. . .. Subject: Worm Klez.E immunity MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Vw621v94339cE8O5ZLy5P Message-Id: <20021107165146.UEYO3088.out016.verizon.net@Fru> Date: Thu, 7 Nov 2002 10:52:21 –0600 |
Well clearly it's not from Pelican. The "from" computer is different in both cases. The first version of the virus is probably still using the same "Wayne" in it, as is replicates for now...
|
mmm klez ain't it great..one more reason for the dean of the business school get on the helpdesk's case... <sigh> you don't wanna know how many times I"ve had to explain that nasty little thing
|
Thanks guys . I do keep the virus protection is up-to-date.
What I'm curious about is why it's masquerading itself with only Waynes addresses. "spoofing." is the worm randomly selecting an address . . .this seems different. As I said in a post (in this thread) months ago, It's as if someone was trying hard to make Wayne look like the bad-guy .. . I'm just trying to pin this thing down . . .hoping one of you internet savvy guys can see what's going on here. |
It is *so* easy to spoof email (I even teach my students how to do it), and until more robust systems are in place, and everyone uses them, there's no cure. M$ isn't making it any better. In the mean time, stop using windoze and 99% of your problems will go away.
|
If you look at the email ID you will see that the virus is from 2 different locs.
Message-Id: <200208242201.g7OM1lD102723@logs-mtc-te.proxy.aol.com> and Message-Id: <20021107165146.UEYO3088.out016.verizon.net@Fru> I am not sure who Wayne is useing as a provider but I bet money its not both. There are 2 computer infected with this virus not just one. Just keep a eye out and dont open any attachments you are not expecting. Cars are not my strong point but IT is (that is the feild I am in). Just a side note I pickup my first Porsche Sat morning. Everything checked out great and I am SO excited!!! Grey |
to me, a computer freak and majoring in computers here at college, it looks exactly like klez, someone from an AOHell account has the klez virus, IP address 172.171.155.137 at Sat, 24 Aug 2002 18:01:47 -0400 (EDT)
did you recieve this email on the 24th? what you'd have to do is call AOhell with that information and ask them who was logged into that IP at that time and they'd know which user. That user has the KLEZ virus. There's really not much you can do if AOL doens't cooperate. Everyone on this board needs to update and run they're virus software |
Ha -"AOL cooperating". . .stop teasing me. ;)
It's funny though, how AOL has all types of filtering, and yet they seem to ignore viruses. What; are they about to aquire McAffee or Norton? quote "In the mean time, stop using windoze and 99% of your problems will go away."-Thom- Yeah, though every soution breeds new problems . .. .hmmm . ..what would you suggest? I still can't get over the fact that these continue to spoof as wayne & only wayne. . .. and always with "Return path wayne@verizon.net" and "From: wayne wayne@pelicanparts.com" |
It's not quite that simple. When the infected system opens a connection on port 25 on the mule system, it can call itself anything it wants to. The mule system is more than likely the infected system's ISP, but I don't see why it has to be, with so many open relays out there. Heck, it would be trivial for the virus writer to include a list of open relays, or include code to find open relays.
Here's a simplified example: Quote:
Quote:
|
That is very correct Thom. You must also be in IT or have work with it on more then a regular user level.
Most ISP's make it a mandate to use reverse lookup. That stops most forms of mail spamming. Large companys like the one I work for get fined or service dropped if they do not have their mail servers using reverse lookup. Grey (soon to be in my first 911!!) |
Don't be sold on the fact that if you have anti-virus protection you cannot get viruses. The nasty ones find a way past the 'over the counter' protection.
|
unless you run linux :D .. wait.. crammit there's even a couple nasty one's for linux too.
Klez is a particularly nasty virus in terms of spreading. Widebody you're entirely right, it's WAYYY too easy to send an email with someone else's name. and there are WAYY too many script kiddies out there with they're own email servers that can't set them up (heck I run one just for the fun of it) I didn't realize that reverse lookup was required by alot of companies. I thought it was just a good option to have it on. <shrug> you learn something everyday |
Not only that, but the newer generations know how to disable/unistall AV and firewall S/W.
Personally, I suspect collusion between the virus writers and anti-virus companies. If you think about it, they created a multi-billion dollar industry literally out of thin air. Ever notice how quickly the antidotes are available for new viruses? Supposedly the script-kiddies give pre-release copies to Norton/Macafee et al. Hmmm. Just like the villian always explains to 007, in excruciating detail, exactly how he's going to kill him in some elaborate fashion, when a quick bullet to the head would be much more effective (yet deprive us of 25 years worth of sequels). If I were to write my own virus I sure as hell wouldn't make it any easier for them to take down. And with over a decade of swe experience on a number of platforms, I bet I could come up with some pretty cool stuff. Quote:
|
| All times are GMT -8. The time now is 03:44 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0
Copyright 2025 Pelican Parts, LLC - Posts may be archived for display on the Pelican Parts Website