[Dshield] Klez

Paul Marsh pmarsh at nmefdn.org
Thu Jun 27 14:52:56 GMT 2002


Thank you all very much for your input.  I just wanted to make sure I was
not the only one still getting this annoying thing.  I've been reading
through the reply-posts to my question and have come to the conclusions that
I need to educate myself more on reading headers, does anyone know where I
can find some quick and dirty info on headers.  I stripped the headers off
of a few that came through yesterday and found they were all from the same
place minus the BS virus inserted stuff.  I've posted it here so I can get
some feed back on what it really says.  The way I interpret is that it's
from an AOL netblock/modem pool 172.167.179.170. I also noticed the
following "X-Apparently-From: RealtyVis2 at aol.com" so would that mean this is
the infected system/user?  

Thanx, Paul    

æ   ImCr         ì#E
        rly-ip02.mx.aol.com rly-ip02.mx.aol.com
<MFOLLETT at WILTON.COM>   c=us;a= ;p=nellie mae;l=EXCHANGE0206262310N4K44L1D
   E                                    <user at nmefdn.org>
EwLsReceived: from rly-ip02.mx.aol.com ([152.163.225.160]) by
exchange.nmfdn.org with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2653.13)
	id N4K44L1D; Wed, 26 Jun 2002 19:10:06 -0400
Received: from  logs-mtc-ta.proxy.aol.com (logs-mtc-ta.proxy.aol.com
[64.12.105.5]) by rly-ip02.mx.aol.com (v83.35) with ESMTP id
RELAYIN2-0626190953; Wed, 26 Jun 2002 19:09:53 -0400
Received: from Pltqfsb (ACA7B3AA.ipt.aol.com [172.167.179.170])
	by logs-mtc-ta.proxy.aol.com (8.10.0/8.10.0) with SMTP id
g5QMpCq501899
	for <user at nmefdn.org>; Wed, 26 Jun 2002 18:51:12 -0400 (EDT)
Date: Wed, 26 Jun 2002 18:51:12 -0400 (EDT)
Message-Id: <200206262251.g5QMpCq501899 at logs-mtc-ta.proxy.aol.com>
From: <user at nmefdn.org>
To: user at nmefdn.org
Subject: Returned mail--"(InString2.toLowerCase().substring(0,4) "
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary=SA4vV0tB0836aCI01446DF39R6
X-Apparently-From: RealtyVis2 at aol.com

--SA4vV0tB0836aCI01446DF39R6
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD></HEAD><BODY>

<FONT>The following mail can't be sent to infolex at otenet.gr:<br>
<br>
From: user at nmefdn.org<br>
To: infolex at otenet.gr<br>
Subject: (InString2.toLowerCase().substring(0,4) <br>
The attachment is the original mail</FONT></BODY></HTML>

--SA4vV0tB0836aCI01446DF39R6
Content-Type: application/octet-stream;
	name=2.00.exe
Content-Transfer-Encoding: base64
Content-ID: <QX85o1h7T9>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020627/544d7d88/attachment.htm


More information about the list mailing list