[Dshield] Suejdz & Kleze anyone

KeithTarrant@spamcop.net KeithTarrant at spamcop.net
Tue Oct 22 00:21:23 GMT 2002


What makes you think the sending email address is genuine?  

Most varieties of Klez, which is the most widespread email virus right now, randomly pick a sending email address from the email addresses found on the newly infected system.  And even looking at the email headers doesn't help.  Most varieties of Klez insert fake headers and bounce the email off an open email relay (so the email is untraceable).  

By the way, AOL and regular Hotmail accounts can't send Klez.  Klez comes with its own software for sending email and contacts regular email servers to do this.  So any Klez email from AOL or Hotmail accounts is just a result of the fake randomly choosen sending address.

So the recommendation is not to bother contacting the alleged sender of the email.  

Sometimes the real infected computer can be infered after you receive a few of these emails, because usually different source addresses are chosen each time.  I got a Klez email allegedly from my sister in-law.  I got a Klez email allegedly from my sister's best friend.  Sure enough, my sister's computer was infected.  But how many people have Suejdz at ntlworld.com in their read and deleted email, or in their web cache?

If you are interested you can find discussions on this in www.spamcop.net.  They specialize in tracing the origins of spam.  Unfortunately the discussions go nowhere on Klez email (at least they were going nowhere back when I got bored with them).  The step required is closing open email relays, and that is a constant battle.  (They are usually open due to a configuration error or misunderstanding of the consequences of leaving them open.)

The standard advise is don't download any unexpected executable files, unless you don't mind doing a clean re-install on your system and re-creating all of your documents and emails (because it might be worse than Klez, you don't know until it does its thing).  

Even if the sender is your brother, confirm with him that he intended to send you a file before downloading anything other than a photo.  

And just because you open an executable and it does what it said it would, say showing a slide show, doesn't mean you didn't install a trojan or virus.  Many trojans can be bonded to other executables and will install simultaneously while the other executable runs.

- Keith
  ----- Original Message ----- 
  From: Daniels566 at cs.com 
  To: list at dshield.org 
  Cc: Daniels566 at cs.com 
  Sent: Sunday, October 20, 2002 11:29 PM
  Subject: [Dshield] Suejdz


  Here it is two hundred messages down the line I haven't gotten to yet.
  I have a unique situation going on. My wife has a MSN HOT mail account associated with a MSN web site she has. She's gotten three emails from Suejdz at ntlworld.com with attachments. They look suspicious and Hot Mail provides a warning their in frames and gives you the option to open them. This is where the fun begins because it is a smart package. I won't download it because it will auto open then exe. So I cant get to it to examine it. I cant get to the headers because their blocked. When I attempted to forward it out of hot mail to another account where I might get to it, the darn thing messes with the URL in MSN and I get a can't find page. So it wont forward.
  So I copy the email and paste it and lo and behold it is returned with the account is overloaded. Next I go to ntlworld.com and email their abuse dept. You all know what that means (machine talky talk) Well I get an autoresponder message back with a lot of blah blah with real tears I tell you. Anyway I try to forward this legit mail and off it goes. Again I try with suejdz and no go??? This thing is really wired. So why am I telling you this. Well, it's bugging me for one and maybe it could interest someone on this list. I cant find a way to notify MSN without talking to a machine and they charge you by the min. to talk on the phone. Not that they really care a lot. But I want to send this email over to ntlworld.com and I cant. It's MSN's server and there's nothing I can do about it. So I figure one of you out there might know a shortcut to get MSN's attention and pass it on to me. If it's a secret I promise not to tell anyone. Anyway I'll quit now and below is a copy of the autoresponder message I received John Daniels
  Alone in a raft with water all around with nothing to worry about but a sinking feeling.

  Subj: Fw: Your report to the ntl Abuse Team 
  Date: 10/20/02 10:55:08 PM Eastern Daylight Time 
  From: sunflowerenvy at msn.com 
  To: daniels566 at cs.com 
  Received from Internet: click here for more information 






    ----- Original Message -----
    From: ntl Abuse Team
    Sent: Sunday, October 20, 2002 5:58 PM
    To: Lee Letterset
    Subject: Your report to the ntl Abuse Team

    Case Number: 1897061

    PLEASE NOTE THAT THIS IS AN AUTORESPONDER
    Full Information on how to submit abuse reports may be found at 
    http://www.ntlworld.com/help/aup/

    --
    Latest News: 

    03 Oct 2002

    Pornagraphic Emails:

    If you are receiving large amounts of pornographic email please send an 
    email to aup.advice01 at ntlworld.com

    07 Oct 2002

    Port 137 connections:

    We are seeing an increased number of connection attempts on Port 137. 
    This may be due to the remote PC being infected with the Opaserv Worm or
    Bugbear. Please note that the vast majority of these connection attempts
    are originating from outside the ntl network. When submitting your 
    report please ensure that only ntl IPs are reported. Sites such as 
    www.geektools.com can help assist in identifying the correct ISP to 
    submit reports to.

    --

    This email has automatically been sent to you in response to a report 
    that we have received that included your email address as a contact. 
    The content of this auto-responder is important - please read fully.

    This will be the only response sent to you regarding your report unless 
    we require further information. If you wish to send additional 
    information regarding your original report please make ensure you 
    include the reference number above in the subject of a new email.

    Please note if you have sent an email that is not related to an abuse 
    issue then your email will NOT be dealt with. For technical support and
    customer support, as well as general enquiries about ntl, please view 
    the contact information at 
    http://www.ntlworld.com/help/contactUs/index.html

    If you have received this auto-responder without having sent an email to
    abuse at ntlworld.com then it is a possibility that your PC is infected 
    with a virus although we are aware that many of the newer viruses/worms 
    use random e-mail addresses when attempting to spread themselves.

    We would strongly advise that you check your PC using anti-virus 
    software from one of the many reputable companies that produce them.

    Please be aware that we cannot release details of our past or ongoing 
    investigations. In addition we will not release any details concerning 
    our customers. 

    If unauthorised access, theft of data or malicious damage has taken 
    place we advise you to contact your local Police department. We will 
    fully co-operate with any Police investigation to ensure that a 
    satisfactory outcome is reached.

    Please be aware that we can only deal with complaints that have 
    originated from our network - we are not able to handle complaints from 
    other ISPs. If you are unsure how to identify where an email has 
    originated from please visit sites such as http://www.samspade.org &
    http://www.spamcop.net. Any complaints sent to us concerning other ISPs
    will not be dealt with or forwarded.

    ntl do not currently filter customer's e-mail, please consult the 
    documentation/help files for your e-mail client in 
    order to use its filtering capabilities. Parents especially may wish to
    read the information at 
    http://www.ntlworld.com/help/generalHelp/offensive-material.htm


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20021021/b2f449b8/attachment.htm


More information about the list mailing list