Now I'm getting viruses from "Wayne"...WTF?!

[dtw]

Somebody is not running their virus software! I got the following bogus email masquerading itself as Wayne. Y'all watch out . . .


Return-Path: -wayne@pelicanparts.com>
Received: from rly-ip01.mx.aol.com ([205.188.156.49])
by wanamaker.mail.atl.earthlink.net (Earthlink Mail Service) with ESMTP id 17IJ1K5gd3Nl3oJ0
for -dtwinters@mindspring.com-; Sat, 24 Aug 2002 18:05:04 -0400 (EDT)
Received: from logs-mtc-te.proxy.aol.com (logs-mtc-te.proxy.aol.com [64.12.103.135]) by rly-ip01.mx.aol.com (v83.35) with ESMTP id RELAYIN2-0824180412; Sat, 24 Aug 2002 18:04:12 -0400
Received: from Ozb (ACAB9B89.ipt.aol.com [172.171.155.137])
by logs-mtc-te.proxy.aol.com (8.10.0/8.10.0) with SMTP id g7OM1lD102723
for ; Sat, 24 Aug 2002 18:01:47 -0400 (EDT)
Date: Sat, 24 Aug 2002 18:01:47 -0400 (EDT)
Message-Id: <200208242201.g7OM1lD102723@logs-mtc-te.proxy.aol.com>
From: wayne -wayne@pelicanparts.com-
To: dtwinters@mindspring.com
Subject: Risk is 100% yours.

[billwagnon]

How do you put a scroll box in a post? That is so cool! Don't know what I'd do with it though.

Wayne's next book - 101 Ways to Kill Viruses

[pwd72s]

Thank gawd for Mcafee...well worth the money spent! The bad krap comes calling, and my computer says: "I hear you knocking, but you KAN"T come in...." (apologies to Richard Penniman)...

[dtw]

Quote:

Originally posted by Wayne at Pelican Parts
Please, you're not getting any viruses from me. Educate yourself and read the following before jumping to conclusions:

-Wayne

I know Wayne- that's why I put your name in quotes in the subject and said the email is masquerading itself with your name- because it is obviously not from you. But there is a bug going around with lots of Pelican members- I was just performing a community service announcement. No conclusions jumped!

Cheers,

[bell]

Quote:

Originally posted by dtw


But there is a bug going around with lots of Pelican members
Cheers,

we're not going to have to get shots are we?

[dtw]

Quote:

Originally posted by bell


we're not going to have to get shots are we?

Finally, some ammo for my girlfriend's argument that I spend too much time on this site

[island911]

Just about everyone I've rcvd was masquerading itself with Waynes addresses. It's as if someone was trying hard to make Wayne look like the bad-guy .. .

[island911]

"spoofing." is the worm randomly selecting an address that it finds on an infected computer.

Yet I exclusively get this klez-crap, said to be coming from "Wayne" and only Wayne!

Any ideas on what's going on?

Return-Path: wayne@verizon.net>
Received: from out016.verizon.net ([206.46.170.92]) by sccrgwc04.attbi.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <20021107165221.UYHI9342.sccrgwc04.attbi.com@out016 .verizon.net>
for Received: from Fru ([204.201.135.175]) by out016.verizon.net
(InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with SMTP
id <20021107165146.UEYO3088.out016.verizon.net@Fru>
for ; Thu, 7 Nov 2002 10:51:46 -0600
From: wayne -wayne@pelicanparts.com>
To: island911@. . ..
Subject: Worm Klez.E immunity
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Vw621v94339cE8O5ZLy5P
Message-Id: <20021107165146.UEYO3088.out016.verizon.net@Fru>
Date: Thu, 7 Nov 2002 10:52:21 –0600

[cstreit]

Well clearly it's not from Pelican. The "from" computer is different in both cases. The first version of the virus is probably still using the same "Wayne" in it, as is replicates for now...

[Tim Walsh]

mmm klez ain't it great..one more reason for the dean of the business school get on the helpdesk's case... you don't wanna know how many times I"ve had to explain that nasty little thing

[island911]

Thanks guys . I do keep the virus protection is up-to-date.

What I'm curious about is why it's masquerading itself with only Waynes addresses.

"spoofing." is the worm randomly selecting an address . . .this seems different.

As I said in a post (in this thread) months ago, It's as if someone was trying hard to make Wayne look like the bad-guy .. .

I'm just trying to pin this thing down . . .hoping one of you internet savvy guys can see what's going on here.

[widebody911]

It is *so* easy to spoof email (I even teach my students how to do it), and until more robust systems are in place, and everyone uses them, there's no cure. M$ isn't making it any better. In the mean time, stop using windoze and 99% of your problems will go away.

[grey71]

If you look at the email ID you will see that the virus is from 2 different locs.

Message-Id: <200208242201.g7OM1lD102723@logs-mtc-te.proxy.aol.com>

and

Message-Id: <20021107165146.UEYO3088.out016.verizon.net@Fru>

I am not sure who Wayne is useing as a provider but I bet money its not both. There are 2 computer infected with this virus not just one. Just keep a eye out and dont open any attachments you are not expecting.

Cars are not my strong point but IT is (that is the feild I am in).

Just a side note I pickup my first Porsche Sat morning. Everything checked out great and I am SO excited!!!


Grey

[Tim Walsh]

to me, a computer freak and majoring in computers here at college, it looks exactly like klez, someone from an AOHell account has the klez virus, IP address 172.171.155.137 at Sat, 24 Aug 2002 18:01:47 -0400 (EDT)

did you recieve this email on the 24th?
what you'd have to do is call AOhell with that information and ask them who was logged into that IP at that time and they'd know which user. That user has the KLEZ virus.

There's really not much you can do if AOL doens't cooperate. Everyone on this board needs to update and run they're virus software

[island911]

Ha -"AOL cooperating". . .stop teasing me.
It's funny though, how AOL has all types of filtering, and yet they seem to ignore viruses. What; are they about to aquire McAffee or Norton?

quote "In the mean time, stop using windoze and 99% of your problems will go away."-Thom-
Yeah, though every soution breeds new problems . .. .hmmm . ..what would you suggest?

I still can't get over the fact that these continue to spoof as wayne & only wayne.
. .. and always with "Return path wayne@verizon.net" and "From: wayne wayne@pelicanparts.com"

[widebody911]

It's not quite that simple. When the infected system opens a connection on port 25 on the mule system, it can call itself anything it wants to. The mule system is more than likely the infected system's ISP, but I don't see why it has to be, with so many open relays out there. Heck, it would be trivial for the virus writer to include a list of open relays, or include code to find open relays.

Here's a simplified example:

Quote:

telnet mx.calweb.com 25
Trying 209.210.251.13...
Connected to mx.calweb.com.
Escape character is '^]'.
220 mx.calweb.com ESMTP Postfix
helo wayne.com
250 mx.calweb.com
mail from: wayne@pelicanparts.com
250 Ok
rcpt to: luser@aol.com
250 Ok
data
354 End data with .
Subject: Yo mamma
Yo momma so fat it took me 20 minutes to d/l her pic off the 'net
.
250 Ok: queued as D58E11EE339
quit
221 Bye
Connection closed by foreign host.

That's it. Any maroon can figure out the MX records, and awayyyy we go. The most that most email server implentations will do is reverse lookup the from domain, and (hopefully!) verify that that domain is in the list of domains they relay mail for. Other than that, it's open season.

Quote:

Originally posted by l33t9eek
to me, a computer freak and majoring in computers here at college, it looks exactly like klez, someone from an AOHell account has the klez virus, IP address 172.171.155.137 at Sat, 24 Aug 2002 18:01:47 -0400 (EDT)

did you recieve this email on the 24th?
what you'd have to do is call AOhell with that information and ask them who was logged into that IP at that time and they'd know which user. That user has the KLEZ virus.

There's really not much you can do if AOL doens't cooperate. Everyone on this board needs to update and run they're virus software

[grey71]

That is very correct Thom. You must also be in IT or have work with it on more then a regular user level.

Most ISP's make it a mandate to use reverse lookup. That stops most forms of mail spamming. Large companys like the one I work for get fined or service dropped if they do not have their mail servers using reverse lookup.

Grey

(soon to be in my first 911!!)

[gr8fl4porsche]

Don't be sold on the fact that if you have anti-virus protection you cannot get viruses. The nasty ones find a way past the 'over the counter' protection.

[Tim Walsh]

unless you run linux .. wait.. crammit there's even a couple nasty one's for linux too.
Klez is a particularly nasty virus in terms of spreading.

Widebody you're entirely right, it's WAYYY too easy to send an email with someone else's name. and there are WAYY too many script kiddies out there with they're own email servers that can't set them up (heck I run one just for the fun of it)

I didn't realize that reverse lookup was required by alot of companies. I thought it was just a good option to have it on. you learn something everyday

[widebody911]

Not only that, but the newer generations know how to disable/unistall AV and firewall S/W.

Personally, I suspect collusion between the virus writers and anti-virus companies. If you think about it, they created a multi-billion dollar industry literally out of thin air. Ever notice how quickly the antidotes are available for new viruses? Supposedly the script-kiddies give pre-release copies to Norton/Macafee et al. Hmmm. Just like the villian always explains to 007, in excruciating detail, exactly how he's going to kill him in some elaborate fashion, when a quick bullet to the head would be much more effective (yet deprive us of 25 years worth of sequels). If I were to write my own virus I sure as hell wouldn't make it any easier for them to take down. And with over a decade of swe experience on a number of platforms, I bet I could come up with some pretty cool stuff.

Quote:

Originally posted by gr8fl4porsche
Don't be sold on the fact that if you have anti-virus protection you cannot get viruses. The nasty ones find a way past the 'over the counter' protection.