Klez-G obscuring From addresses?

Martin Sapsed m.sapsed at BANGOR.AC.UK
Tue Apr 30 10:06:22 IST 2002

Todd Martin wrote:
> We've received a relatively high number of Klez-G attempts over the
> last few days.
> I noticed this particular virus appears to hide the name of the
> sender by forging the from address. MailScanner knows who really sent
> it because the postmaster notification shows the right sender
> (envelope-from?).
> I've also seen a positive correlation between the forged from address
> and the to address. Several of the incoming virus look to be from
> users in our domain. This brought on a little finger-pointing and
> panic.

I think you'll find Klez picks both the From: and To: addresses from the
address book on the victim's machine. I had a case yesterday where
boyfriend suggested that girlfriend's PC was infected. Closer examination
of the headers revealed that actually it's boyfriend's PC that's infected!
Oh dear!



Martin Sapsed                           To have no errors
Information Services                    Would be life without meaning
University of Wales, Bangor, LL57 2UX   No struggle, no joy.
Fax: +44 (0)1248 383826

More information about the MailScanner mailing list