[Dshield] "Re: Contents of Dshield digest ----Klez anyone

Jill Cote jcote at thewaygroup.com
Mon Aug 26 15:47:23 GMT 2002


Response to:

Can the Klez virus forge the IP in this line:
Received: from Pgcdjo ([205.152.62.117]) by out003.verizon.net
The name is obviously bogus, but if that IP is logged by the Verizon SMTP 
server, then we have the IP of the infected machine.  It sounds too good to
be true.

Variants .A, .C, and .D use the following SMTP server to send emails: 
smtp.yahoo.com
smtp.hotmail.com
smtp.sina.com

Variants .E and .F obtain a SMTP server using the domain name of the email
address used in the From: field of the email it sends. For example, if the
From: field of the email is any_user at somewhere.com, then it uses
smtp.somewhere.com to send its spoofed email.

Variants .G, .H, and .I obtain a SMTP server from the registry as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\,
SMTP Server

But to understand the capabilities of this one read Trend Micros "tech
details" it has all the information.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H&
VSect=T

-Jill









More information about the list mailing list