Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Klez and other Viruses Inundating me! 2

Status
Not open for further replies.

duffermax

Technical User
Nov 29, 2002
2
US
Lately, I get 3 to 5 viruses a day in my e-mail. So far, Nortons has done a good job of catching them all. Is there anything I can do to stop receiving all of these virus messages? Many are spoofs, but many are real.
 
I think first you have to receive the mail before you can decide which you throw into the papertray. There are some Mailprograms, which allow you to delete mails on the server but some viruses are faking their sender Adress. Therefore this method will not work reliable.



hnd
hasso55@yahoo.com

 
Norton, unfortunately, does not have a mail scanner component (correct me if i'm wrong). If it had, you can configure it so that as the mail comes in and is infected, you can opt to delete or clean it automatically.

I do this with McAfee and have been satisfied so far. Check if NAV 2003 has this (not sure myself).

HTH AVChap
... take my advice, I don't use it anyway!
 
"Norton, unfortunately, does not have a mail scanner component"

Actually it does AVChap. duffermax, you could create some message rules and use a word or two from the subject of the emails and choose the 'delete from server' option so they won't be downloaded. In Outlook Express--tools--message rules--mail.
 
I would try to find out where the emails are coming from,via your ISP or webmail provider.We had the same problem on the network I use, where a few people where recieving viruses continually.Using the header information on the emails the system administrator was able to find out that the sender was internal to our network and solve the problem from there!!!
David
 
Most of the current virus crop like Klez and Bugbear spoof the return address. The return address can be anything and the virus just gets one from the infected machines address book. The only way to trace to the real originator is to look at the message header, do a little detective work and hope you will get some cooperation from the ISP of the infected individual.

I have had some luck in stopping viruses by notifying the ISP of the infected party with the pertinent information for them to trace the source of the virus. I haven’t done this enough to decide how effective it is, but it has worked for me a few times. Here is what I do.

First I look at the message header of the infected e-mail. Here is an example of a header from a Klez.h infected e-mail we just received today. The names are changed to protect the innocent!
-------------------------------------------------------------------
From redneck_lizard@abc.com Sun, 1 Dec 2002 12:16:37 -0600
From: redneck_lizard <redneck_lizard@abc.com>
To: <jsmith@xyz.org>
Received: from mail.hbcomm.net ([198.247.164.14]) by lmg.ahnet.net with ESMTP id <314758-12693>; Sun, 1 Dec 2002 10:16:39 -0800
Received: from Cmvlv [198.247.169.157] by mail.hbcomm.net
(SMTPD32-7.13) id A1ECEC1B00CC; Sun, 01 Dec 2002 12:16:12 -0600
Message-Id: <200212011216310.SM01500@Cmvlv>
Date: Sun, 1 Dec 2002 12:16:37 -0600
Delivery-Date: Mon, 2 Dec 2002 08:34:51
X-Account: My Account
Status: R
Subject: A IE 6.0 patch
Mime-Version: 1.0
-------------------------------------------------------------------

The pertinent info is on the RECEIVED lines, we want to look at them in reverse order.

* My mail server is “lmg.ahnet.net”, and it received the message from “mail.hbcomm.net”.
* The next line shows that mail.hbcomm.net received the mail from Cmvlv [198.247.169.157].

This is the last RECEIVED entry, and so must be the origin of the message. By reading about Klez, I also know that Klez has it’s own SMTP engine and so that is probably where the “Cmvlv” comes from, it is bogus. But, the IP address 198.247.169.157 is real, it was logged by the receiving system mail.hbcomm.net and can’t be forged.

So... 198.247.169.157 is the IP of the infected system, if it is a system with a static IP address like most broadband connections, then this is all we really need. But, if it is a dial-up account then the IP of the infected computer will be different each time it connects to it’s ISP. In this case the “Message-ID” information may be useful to the ISP in identifying the culprit from their mail logs.

Next, I try to find who the IP 198.247.169.157 belongs to. There are several ways to do this. You can do a DNS look-up and tracert from Just go to this web site and type in the IP address 198.247.169.157.
The DNS lookup shows that the Host name is hbt-b157.carrollsweb.com.

I know that carrollsweb.com is a local ISP, I go the their web site and find that you can e-mail support at support@carrollsweb.com. I send an e-mail to carrollsweb support telling them that we have been receiving e-mails infected with the Klez.h virus. That I believe the infected machine is at IP 198.247.169.157 and I include the e-mail header and tracert information from above.

Then, just hope for the best.

Hope this helps someone. Also, if there are any better ideas out there, or anyone sees a hole in my logic I would appreciate hearing from you.

Jim
 
Thanks for the great responses. I liked them all and will try a couple of them. I will let you know as I work through this. Thanks, again; anything that will keep from having to deal with finding and deleting 2 to 3 virus e-mails a day will certainly be welcomed.
Duffermax
 
That's why I said &quot;correct me if i'm wrong&quot; since I don't use NAV (I use McAfee) :) AVChap
... take my advice, I don't use it anyway!
 
duffer, you also may want to check for a keylogger... just a hunch. I think a free one is called anti-keylogger... try google
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top