Klez macro virus I need help Klez macro virus I need help
Posts 1 to 2 of 2
  1. #1



    Default Klez macro virus I need help

    Can anybody offer any help.

    As far as I can gather it looks like
    an account at btinternet.com is sending it to me.

    It may be spoofing and not from that guy.

    He is real enough, I have found his phone number on the internet.

    Ofcourse it might not be him.

    I have sent items to abuse@bt.com

    This is really starting to bug me as I am receiving,
    four of these a day in my prime business email account.

    Below is what I receive in the body of the message:

    ----- Original Message -----
    From: "urfriend" < loveshore@loverscreensaver.com >
    To: < andywid@btinternet.com >
    Sent: Thu,10 Oct 2002 22:03:05 PM
    Subject: Let's Laugh

    This e-mail is never sent unsolicited. If you need to unsubscribe,
    follow the instructions at the bottom of the message.
    ************************************************** *********

    Enjoy this friendship Screen Saver and Check ur friends circle...

    Send this screensaver from www.loverscreensaver.com to everyone you
    consider a FRIEND, even if it means sending it back to the person
    who sent it to you. If it comes back to you, then you'll know you
    have a circle of friends.

    * To remove yourself from this mailing list, point your browser to:
    * Enter your email address (andywid@btinternet.com) in the field provided and click "Unsubscribe".


    * Reply to this me


    You can take it as read that there is no such url as

    I have run FixKlez.com (100,472 bytes) on my machine
    I am using Outlook Express 6.00.2800.1106
    and between that and Norton I cannot even open
    the files even if I 'wanted' to.

    Desparate Darren .....

  2. #2

    Mark Snowdon


    Default we need to see the headers

    You can only identify the source if you see the full headers

    right click on the message, choose properties, then the details tab.

    cut and paste that lot. you will have something like this :

    Return-Path: <intbusiness@elsitio.com>
    Received: from mta03.local ([])
    &nbsp &nbsp &nbsp &nbsp by s1.uklinux.net (8.11.6/8.11.6) with SMTP id g9A2n1027507
    &nbsp &nbsp &nbsp &nbsp for <sales@arthington.com>; Thu, 10 Oct 2002 03:49:06 +0100
    Envelope-To: <sales@arthington.com>
    Date: Thu, 10 Oct 2002 03:49:06 +0100
    Message-Id: <200210100249.g9A2n1027507@s1.uklinux.net>
    Received: (qmail 4829 invoked from network); 10 Oct 2002 02:48:59 -0000
    Received: from unknown (HELO localhost) ([]) (envelope-sender <intbusiness@elsitio.com>)
    by mta03.local (qmail-ldap-1.03) with SMTP
    for <ceo@finance5andbuy5business.net>; 10 Oct 2002 02:48:59 -0000
    From: "venture finance" <intbusiness@elsitio.com>
    To: <ceo@finance5andbuy5business.net.uklinux.net>

    what you need is that first received from line.
    Received: from mta03.local ([])

    ignore the name but the ip address is the mail server that sent it to you. lookup who they are at www.ripe.net/perl/whois

    forward the mail to abuse@..... including a full copy of the headers and ask them to identify the user responsible.

    Most isps will close the account until their customer applies av.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts