Home page logo
/

basics logo Security Basics mailing list archives

Can anybody explain this Klez Variant?
From: "Drexcia ====" <drexcia () hotmail com>
Date: Thu, 06 Feb 2003 00:04:50 +0000

Hi Guys,

A friend of mine received this message supposedly from me in his hotmail account. Names/Email addresses have been changed but you'll get the idea

<snip>

From :    my_name <my_name () excite com au>
To :      myfriend () hotmail com
Subject : A good tool

Date :    Mon, 6 Jan 2003 02:36:46 -0600

  MIME-Version: 1.0
Received: from out009.verizon.net ([206.46.170.131]) by mc1-f5.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Mon, 6 Jan 2003 00:36:47 -0800 Received: from Idxgvfqiv ([198.142.240.35]) by out009.verizon.net (InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP id <20030106083621.IPQL7162.out009.verizon.net () Idxgvfqiv> for <myfriend () hotmail com>; Mon, 6 Jan 2003 02:36:21 -0600
Message-Id: <20030106083621.IPQL7162.out009.verizon.net () Idxgvfqiv>
Return-Path: my_name () verizon net
X-OriginalArrivalTime: 06 Jan 2003 08:36:47.0071 (UTC) FILETIME=[BFE38EF0:01C2B55E]

Content-Type: multipart/alternative; boundary=OecRB7ZOj28RPW41r0438676cfw002tZA2
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable


This is a special good tool
I wish you would like it.

</snip>

I know this looks like a typical Klez message but there are a few things that have me stumped.

1) The "my_name" email address is an old excite account which hasn't been used in over 2 years and has been disabled. The "myfriend" address was not in my address book at this excite account.

2) The return path is "my_name"@verizon.net

3) The source IP has been traced back to a prepaid account with an Australian ISP which doesn't require any personal information to register.

Obviously my email address has been spoofed and they've used a Verizon server to send it. Also included was a 112K Attachment called href.exe which I'm unable to access, presumably Hotmail has stripped it.

Anybody able to help me out with this one? I'm really just wondering if anybody has seen this before or if this is specifically targeted at me.

Many thanks guys..






_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault