[Req #26455] Re: Undeliverable mail--"The Mustang Back Support With Suspenders, 728, "

Subject: [Req #26455] Re: Undeliverable mail--"The Mustang Back Support With Suspenders, 728, "
From: Mitchell Wand (wand@ccs.neu.edu)
Date: Tue Jun 11 2002 - 14:24:14 EDT

I don't think these messages are from somebody on dem. It is more
likely that someone with an infected machine has dem in their address
book.

Here's my copy of the message in question, with headers intact. Note
that the From: line has also been forged, so that the message appears
to be from the recipient's postmaster.

The forged From: is characteristic of the Klez virus. Earlier
versions simply supplied a From: address from the infectee's address
book. The forged From:=postmaster is a new variation that has shown
up just in the last week or so.

See also my Req's 26422 and 26448.

--Mitch

 From catco@emirates.net.ae Tue Jun 11 10:10:50 2002
 Return-Path: <catco@emirates.net.ae>
 Delivered-To: wand@amber.ccs.neu.edu
 Received: by amber.ccs.neu.edu (Postfix)
         id 1F25C1AA10; Tue, 11 Jun 2002 10:10:16 -0400 (EDT)
 Delivered-To: dem@ccs.neu.edu
 Received: from domail1 (unknown [213.42.1.70])
         by amber.ccs.neu.edu (Postfix) with ESMTP id B19A61AAA1
         for <dem@ccs.neu.edu>; Tue, 11 Jun 2002 10:10:11 -0400 (EDT)
 Received: from pmail.emirates.net.ae (pmail.emirates.net.ae [194.170.163.235])
  by domail1.emirates.net.ae
  (iPlanet Messaging Server 5.2 HotFix 0.2 (built Apr 26 2002))
  with ESMTP id <0GXJ00D3DNVLM5@domail1.emirates.net.ae> for dem@ccs.neu.edu;
  Tue, 11 Jun 2002 17:52:34 +0400 (GST)
 Received: from Grzgnoiev (lda145.emirates.net.ae [217.165.8.145])
  by pmail.emirates.net.ae
  (Sun Internet Mail Server sims.4.0.2000.10.12.16.25.p8)
  with SMTP id <0GXJ00J2XNUF4U@pmail.emirates.net.ae> for dem@ccs.neu.edu; Tue,
  11 Jun 2002 17:52:16 +0400 (GST)
 Date-warning: Date header was inserted by pmail.emirates.net.ae
 Message-id: <0GXJ00J2YNUF4U@pmail.emirates.net.ae>
 MIME-version: 1.0
 Content-type: multipart/alternative;
  boundary="Boundary_(ID_YBxcistGQ5jpf33GF3Vuag)"
 From: postmaster <postmaster@ccs.neu.edu>
 To: dem@ccs.neu.edu
 Subject: Undeliverable mail--"The Mustang Back Support With Suspenders, 728, "
 Date: Tue, 11 Jun 2002 17:52:16 +0400 (GST)

 --Boundary_(ID_YBxcistGQ5jpf33GF3Vuag)
 Content-type: text/html
 Content-transfer-encoding: 7BIT

 <HTML><HEAD></HEAD><BODY>

 <FONT>The following mail can't be sent to bIbxfrrbuit@ao.o:<br>
 <br>
 From: dem@ccs.neu.edu<br>
 To: bIbxfrrbuit@ao.o<br>
 Subject: The Mustang Back Support With Suspenders, 728, <br>
 The file is the original mail</FONT></BODY></HTML>

 --Boundary_(ID_YBxcistGQ5jpf33GF3Vuag)
 Content-id: <QJuiLUj1FZ1CX2e>
 Content-type: application/octet-stream; name=Vshng.exe
 Content-transfer-encoding: base64
 Content-disposition: attachment; filename=Vshng.exe

 TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g
 RE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgTs1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7Tn
 GbNm+BOzPucAs1X4E7Nc+BKzJfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXP

etc.

This archive was generated by hypermail 2b28 : Tue Jun 11 2002 - 14:24:25 EDT