[Dshield] Suejdz & Kleze anyone
KeithTarrant at spamcop.net
Tue Oct 22 00:21:23 GMT 2002
What makes you think the sending email address is genuine?
Most varieties of Klez, which is the most widespread email virus right now, randomly pick a sending email address from the email addresses found on the newly infected system. And even looking at the email headers doesn't help. Most varieties of Klez insert fake headers and bounce the email off an open email relay (so the email is untraceable).
By the way, AOL and regular Hotmail accounts can't send Klez. Klez comes with its own software for sending email and contacts regular email servers to do this. So any Klez email from AOL or Hotmail accounts is just a result of the fake randomly choosen sending address.
So the recommendation is not to bother contacting the alleged sender of the email.
Sometimes the real infected computer can be infered after you receive a few of these emails, because usually different source addresses are chosen each time. I got a Klez email allegedly from my sister in-law. I got a Klez email allegedly from my sister's best friend. Sure enough, my sister's computer was infected. But how many people have Suejdz at ntlworld.com in their read and deleted email, or in their web cache?
If you are interested you can find discussions on this in www.spamcop.net. They specialize in tracing the origins of spam. Unfortunately the discussions go nowhere on Klez email (at least they were going nowhere back when I got bored with them). The step required is closing open email relays, and that is a constant battle. (They are usually open due to a configuration error or misunderstanding of the consequences of leaving them open.)
The standard advise is don't download any unexpected executable files, unless you don't mind doing a clean re-install on your system and re-creating all of your documents and emails (because it might be worse than Klez, you don't know until it does its thing).
Even if the sender is your brother, confirm with him that he intended to send you a file before downloading anything other than a photo.
And just because you open an executable and it does what it said it would, say showing a slide show, doesn't mean you didn't install a trojan or virus. Many trojans can be bonded to other executables and will install simultaneously while the other executable runs.
----- Original Message -----
From: Daniels566 at cs.com
To: list at dshield.org
Cc: Daniels566 at cs.com
Sent: Sunday, October 20, 2002 11:29 PM
Subject: [Dshield] Suejdz
Here it is two hundred messages down the line I haven't gotten to yet.
I have a unique situation going on. My wife has a MSN HOT mail account associated with a MSN web site she has. She's gotten three emails from Suejdz at ntlworld.com with attachments. They look suspicious and Hot Mail provides a warning their in frames and gives you the option to open them. This is where the fun begins because it is a smart package. I won't download it because it will auto open then exe. So I cant get to it to examine it. I cant get to the headers because their blocked. When I attempted to forward it out of hot mail to another account where I might get to it, the darn thing messes with the URL in MSN and I get a can't find page. So it wont forward.
So I copy the email and paste it and lo and behold it is returned with the account is overloaded. Next I go to ntlworld.com and email their abuse dept. You all know what that means (machine talky talk) Well I get an autoresponder message back with a lot of blah blah with real tears I tell you. Anyway I try to forward this legit mail and off it goes. Again I try with suejdz and no go??? This thing is really wired. So why am I telling you this. Well, it's bugging me for one and maybe it could interest someone on this list. I cant find a way to notify MSN without talking to a machine and they charge you by the min. to talk on the phone. Not that they really care a lot. But I want to send this email over to ntlworld.com and I cant. It's MSN's server and there's nothing I can do about it. So I figure one of you out there might know a shortcut to get MSN's attention and pass it on to me. If it's a secret I promise not to tell anyone. Anyway I'll quit now and below is a copy of the autoresponder message I received John Daniels
Alone in a raft with water all around with nothing to worry about but a sinking feeling.
Subj: Fw: Your report to the ntl Abuse Team
Date: 10/20/02 10:55:08 PM Eastern Daylight Time
From: sunflowerenvy at msn.com
To: daniels566 at cs.com
Received from Internet: click here for more information
----- Original Message -----
From: ntl Abuse Team
Sent: Sunday, October 20, 2002 5:58 PM
To: Lee Letterset
Subject: Your report to the ntl Abuse Team
Case Number: 1897061
PLEASE NOTE THAT THIS IS AN AUTORESPONDER
Full Information on how to submit abuse reports may be found at
03 Oct 2002
If you are receiving large amounts of pornographic email please send an
email to aup.advice01 at ntlworld.com
07 Oct 2002
Port 137 connections:
We are seeing an increased number of connection attempts on Port 137.
This may be due to the remote PC being infected with the Opaserv Worm or
Bugbear. Please note that the vast majority of these connection attempts
are originating from outside the ntl network. When submitting your
report please ensure that only ntl IPs are reported. Sites such as
www.geektools.com can help assist in identifying the correct ISP to
submit reports to.
This email has automatically been sent to you in response to a report
that we have received that included your email address as a contact.
The content of this auto-responder is important - please read fully.
This will be the only response sent to you regarding your report unless
we require further information. If you wish to send additional
information regarding your original report please make ensure you
include the reference number above in the subject of a new email.
Please note if you have sent an email that is not related to an abuse
issue then your email will NOT be dealt with. For technical support and
customer support, as well as general enquiries about ntl, please view
the contact information at
If you have received this auto-responder without having sent an email to
abuse at ntlworld.com then it is a possibility that your PC is infected
with a virus although we are aware that many of the newer viruses/worms
use random e-mail addresses when attempting to spread themselves.
We would strongly advise that you check your PC using anti-virus
software from one of the many reputable companies that produce them.
Please be aware that we cannot release details of our past or ongoing
investigations. In addition we will not release any details concerning
If unauthorised access, theft of data or malicious damage has taken
place we advise you to contact your local Police department. We will
fully co-operate with any Police investigation to ensure that a
satisfactory outcome is reached.
Please be aware that we can only deal with complaints that have
originated from our network - we are not able to handle complaints from
other ISPs. If you are unsure how to identify where an email has
originated from please visit sites such as http://www.samspade.org &
http://www.spamcop.net. Any complaints sent to us concerning other ISPs
will not be dealt with or forwarded.
ntl do not currently filter customer's e-mail, please consult the
documentation/help files for your e-mail client in
order to use its filtering capabilities. Parents especially may wish to
read the information at
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list