[Dshield] "Re: Contents of Dshield digest ----Klez anyone

Jill Cote jcote at thewaygroup.com
Mon Aug 26 15:47:23 GMT 2002

Response to:

Can the Klez virus forge the IP in this line:
Received: from Pgcdjo ([]) by out003.verizon.net
The name is obviously bogus, but if that IP is logged by the Verizon SMTP 
server, then we have the IP of the infected machine.  It sounds too good to
be true.

Variants .A, .C, and .D use the following SMTP server to send emails: 

Variants .E and .F obtain a SMTP server using the domain name of the email
address used in the From: field of the email it sends. For example, if the
From: field of the email is any_user at somewhere.com, then it uses
smtp.somewhere.com to send its spoofed email.

Variants .G, .H, and .I obtain a SMTP server from the registry as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\,
SMTP Server

But to understand the capabilities of this one read Trend Micros "tech
details" it has all the information.



More information about the list mailing list