PDA

View Full Version : Klez macro virus I need help



darrenez
11th October 2002, 09:26
Can anybody offer any help.

As far as I can gather it looks like
an account at btinternet.com is sending it to me.

It may be spoofing and not from that guy.

He is real enough, I have found his phone number on the internet.

Ofcourse it might not be him.

I have sent items to abuse@bt.com

This is really starting to bug me as I am receiving,
four of these a day in my prime business email account.

Below is what I receive in the body of the message:

----- Original Message -----
From: "urfriend" < loveshore@loverscreensaver.com >
To: < andywid@btinternet.com >
Sent: Thu,10 Oct 2002 22:03:05 PM
Subject: Let's Laugh


This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
************************************************** *********

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from www.loverscreensaver.com to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to:
loverscreensaver.com/remo...creensaver (http://loverscreensaver.com/remove?freescreensaver)
* Enter your email address (andywid@btinternet.com) in the field provided and click "Unsubscribe".

OR...

* Reply to this me

================================================

You can take it as read that there is no such url as
loverscreensaver.com

I have run FixKlez.com (100,472 bytes) on my machine
I am using Outlook Express 6.00.2800.1106
and between that and Norton I cannot even open
the files even if I 'wanted' to.

Desparate Darren .....

Mark Snowdon
11th October 2002, 09:36
You can only identify the source if you see the full headers

right click on the message, choose properties, then the details tab.

cut and paste that lot. you will have something like this :

Return-Path: <intbusiness@elsitio.com>
Received: from mta03.local ([209.225.10.27])
&nbsp &nbsp &nbsp &nbsp by s1.uklinux.net (8.11.6/8.11.6) with SMTP id g9A2n1027507
&nbsp &nbsp &nbsp &nbsp for <sales@arthington.com>; Thu, 10 Oct 2002 03:49:06 +0100
Envelope-To: <sales@arthington.com>
Date: Thu, 10 Oct 2002 03:49:06 +0100
Message-Id: <200210100249.g9A2n1027507@s1.uklinux.net>
Received: (qmail 4829 invoked from network); 10 Oct 2002 02:48:59 -0000
Received: from unknown (HELO localhost) ([172.17.0.133]) (envelope-sender <intbusiness@elsitio.com>)
by mta03.local (qmail-ldap-1.03) with SMTP
for <ceo@finance5andbuy5business.net>; 10 Oct 2002 02:48:59 -0000
From: "venture finance" <intbusiness@elsitio.com>
To: <ceo@finance5andbuy5business.net.uklinux.net>

what you need is that first received from line.
Received: from mta03.local ([209.225.10.27])

ignore the name but the ip address is the mail server that sent it to you. lookup who they are at www.ripe.net/perl/whois (http://www.ripe.net/perl/whois)

forward the mail to abuse@..... including a full copy of the headers and ask them to identify the user responsible.

Most isps will close the account until their customer applies av.