RE: COMP: Virus -Bogus (STEVE)

Sandra,

That is correct.  However, it does not spoof the IP address of the machine
from which the mail is sent.  Since mail programs only use the return
address for a reply (such as this reply going to Yahoo! Groups iris-talk
list rather than somewhere else) irate messages can be sent to you about
spreading a virus.  I've had to change the response in several anti-virus
installs at client sites so that it reflects the current state of things,
i.e. the spoofed address.  The only way to track down the offending machine
is to try to trace back through the e-mail header.  There are several
programs that will parse the header for you (Sam Spade is one), but, since
most people do not have a static IP address, and use a largish ISP, it can
be like finding a needle in a haystack.  You may be fortunate, if you track,
to find the ISP and be able to narrow the possibilities down to one of
several people you know to have your address.  However, this is not
foolproof.  The virus may have originated from someone else who happens to
have your address because one of your "suspects" on your list may have
forwarded them a joke you had sent, or some other piece of mail that
included your address.  Or, as in the case of this list, a copy of a message
you sent to it is residing on the infected machine.

There is not much one can do about this other than to urge everyone to get a
decent anti-virus program, and keep it up to date.  The tag at the bottom of
this message shows that this message has been checked on its way out of
here.  If you follow the link provided, the product is available in a free
version that lacks some of the bells and whistles of the version you
actually pay for.  If one feels they cannot afford a virus checker, or they
don't want to pay for one--give this one a whirl.  I've tried to get some
viruses through it, and it has caught each one.

Also, as a double check, one may wish to make use of a free online scan
available at http://housecall.antivirus.com/.  This is not meant to be the
be all and end all of scanners, but serves as a handy double check for your
machine.  I use it about once a month.  Works best with IE.  Modem users may
have some problems getting it up and running the first time (at least that
has been my experience, and it does not affect all modem users, just some).
Just follow the directions, and go.

A few other tips.  If you use Outlook in any of its forms, disable the
preview pane.  If there is a virus or trojan embedded in the e-mail shown in
the preview pane, it will run as if you have opened the message.

If you have the option of opening the next e-mail after disposing of the
current one, do not use the option.  You could accidentally set a virus or
trojan loose on your machine.

Never open any attachments you are not expecting.  Even if it is from your
mother.  Always save the attachment, and scan it prior to opening.  Usually,
the best way is just not to open it, and delete it.

\\Steve//
who is finally hoping to have time to do up a Linux machine this weekend]
Zone 6/7 No. VA, USA

-----Original Message-----
From: Sandra Barss [b*@mb.sympatico.ca]
Sent: Friday, June 07, 2002 7:58 AM
To: iris-talk@yahoogroups.com
Subject: Re: [iris-talk] COMP: Virus -Bogus (STEVE)


Do I understand you correctly that if someone has my email address on their
PC
in
any form, the virus can use my address as if I sent the email, but really
the
email came from the infected machine ?

Sandra

Steve Szabo wrote:

> Cathy,
>
> That e-mail was not from "billmaryott@home.com".  home.com no longer
exists.
> That email contained one of the variants of the KLEZ virus that is making
> the rounds again and again.  One of the things it does is to spoof the
> return address by choosing an address at random from those found on the
> infected computer.  You may be able to track down who it came from by
> tracing the IP address of the sending computer found in the header of the
> message, but I cannot tell you how to do so with AOL mail since they have
> such a weird way of handling their mail.
>
> This virus is also interesting in that it will pick addresses not only
from
> the address book, but from any file that has addresses stored in them.
This
> may be from a cached web page, a file with e-mail addresses in it, etc.
It
> also uses its own SMTP engine to send the messages so the infected person
> will not see the messages sent in their sent items folder of their e-mail
> program.  The only real clue, besides a slowing of the normal processing
of
> files is extraordinary usage of the internet connection (and since most
> people no longer have an external modem, which I highly recommend, they
> never see all that activity).
>
> Bottom line is that bill and mary are not the ones who sent the
> e-mail--someone else did who had their now defunct address and your
address
> on their computer.
>

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.370 / Virus Database: 205 - Release Date: 6/5/2002



 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index