[Dshield] Re: Suejdz & Kleze anyone

Bob Johnson bob at eng.ufl.edu
Thu Oct 24 17:08:30 GMT 2002

James C Slora Jr wrote:
> My experiences have differed from yours a bit, Keith. Comments inline.
> On Mon, 21 Oct 2002 19:21:23 -0500 Keith Tarrant wrote:
> > Most varieties of Klez, which is the most widespread email
> > virus right =
> > now, randomly pick a sending email address from the email addresses =
> > found on the newly infected system.  And even looking at the email =
> > headers doesn't help.  Most varieties of Klez insert fake
> > headers and =
> In my experience, Klez and Yaha have usually been easy to trace. Both
> typically have legitimate "Return-Path" fields in their headers that show
> the true sender's address. I've heard that these are sometimes faked, but I
> have pretty much only encountered this on double-infected messages (Klez
> plus a combo infector/worm with its own SMTP behavior). Bugbear, on the
> other hand, has nearly worthless header information except for the IP
> addresses.

After handling hundreds of Klez viruses, I've found that this is rarely 
true.  The Return-Path header is usually fake.  The only sure way to 
find the source of a Klez virus it to find the originating IP number in 
the "Received-from" headers, and have the administrator of that network 
track down the infected system.

- Bob

More information about the list mailing list