30 Jul
2002
30 Jul
'02
2:31 p.m.
Can somebody more familiar with such confirm whether that is indeed
Richard Erlacher's machine that sent the following copy of Klez? (Headers
only follow)
---------- Forwarded message ----------
Return-Path: <edick(a)idcomm.com>
Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 20:17:29 -0600
Date: Tue, 30 Jul 2002 20:17:29 -0600
Message-Id: <200207310217.g6V2HSJ01036(a)mailhost.idcomm.com>
From: JPLCSCH <JPLCSCH(a)aol.com>
To: cisin(a)xenosoft.com
Subject: Dialog under
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q37LE02W0269aCiF037Kl967jS3g6
Content-Length: 177741
30 Jul
30 Jul
2:44 p.m.
At 07:29 PM 7/30/2002 -0700, Fred Cisin (XenoSoft) wrote:
Can somebody more familiar with such confirm whether
that is indeed
Richard Erlacher's machine that sent the following copy of Klez? (Headers
only follow)
One trick of Klez is that it harvests e-mail addresses
from your mailboxes and uses them to spoof the From:
line,
in order to make it seem (on casual inspection) that
person has the virus. They don't. Someone who received
mail from Erlacher (perhaps a list subscriber) has Klez.
- John
2:55 p.m.
At 07:29 PM 7/30/2002 -0700, Fred Cisin (XenoSoft)
wrote:
>Can somebody more familiar with such confirm whether that is indeed
>Richard Erlacher's machine that sent the following copy of Klez? (Headers
>only follow)
On Tue, 30 Jul 2002, John Foust wrote:
One trick of Klez is that it harvests e-mail
addresses
from your mailboxes and uses them to spoof the From: line,
in order to make it seem (on casual inspection) that
person has the virus. They don't. Someone who received
mail from Erlacher (perhaps a list subscriber) has Klez.
NO. PLEASE look again. Dick's address is in the RETURN PATH line, NOT
the FROM line! It appears that Dick's computer is the one with
Klez, and it put a false FROM: of JPLCSCH(a)aol.com
MOST varieties of Klez put a bogus FROM:, but leave the
Return-Path: intact.
Return-Path: <edick(a)idcomm.com>
Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 20:17:29 -0600
Date: Tue, 30 Jul 2002 20:17:29 -0600
Message-Id: <200207310217.g6V2HSJ01036(a)mailhost.idcomm.com>
From: JPLCSCH <JPLCSCH(a)aol.com>
To: cisin(a)xenosoft.com
Subject: Dialog under
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q37LE02W0269aCiF037Kl967jS3g6
3:18 p.m.
At 07:54 PM 7/30/2002 -0700, Fred Cisin (XenoSoft) wrote:
NO. PLEASE look again. Dick's address is in the
RETURN PATH line, NOT
the FROM line! It appears that Dick's computer is the one with
Klez, and it put a false FROM: of JPLCSCH(a)aol.com
I'm sorry - yes, that IP matches Dick's DSL, as seen on a
previous CC-Talk message:
Received: from dslres156 (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g5JEXw624437
for <cctalk(a)classiccmp.org>rg>; Wed, 19 Jun 2002 08:33:58 -0600
- John
7:42 p.m.
I've just had a flock(5) of them and they all had the same return line as yours.
I use Pegasus which does not automatically open HTML. I stupidly opened
the first one but checking with both the Symantec and Kaspersky Klez tools
say I'm clean. They all vary in size but average around 150k. 2 were
supposedly from list members but the other 3 were unknown to me.
I guess it is harvesting Richards mail.
Lawrence
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com
At 07:29 PM
7/30/2002 -0700, Fred Cisin (XenoSoft) wrote:
>Can somebody more familiar with such confirm whether that is indeed
>Richard Erlacher's machine that sent the following copy of Klez? (Headers
>only follow)
On Tue, 30 Jul 2002, John Foust wrote:
One trick of Klez is that it harvests e-mail
addresses
from your mailboxes and uses them to spoof the From: line,
in order to make it seem (on casual inspection) that
person has the virus. They don't. Someone who received
mail from Erlacher (perhaps a list subscriber) has Klez.
NO. PLEASE look again. Dick's address is in the RETURN PATH line, NOT
the FROM line! It appears that Dick's computer is the one with
Klez, and it put a false FROM: of JPLCSCH(a)aol.com
MOST varieties of Klez put a bogus FROM:, but leave the
Return-Path: intact.
Return-Path: <edick(a)idcomm.com>
Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 20:17:29 -0600
Date: Tue, 30 Jul 2002 20:17:29 -0600
Message-Id: <200207310217.g6V2HSJ01036(a)mailhost.idcomm.com>
From: JPLCSCH <JPLCSCH(a)aol.com>
To: cisin(a)xenosoft.com
Subject: Dialog under
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q37LE02W0269aCiF037Kl967jS3g6
2 Aug
2 Aug
12:52 p.m.
New subject: Klez HELP ! (don't open if in any format) was Re: HEADERS?
It seems that I did not escape Klez. I have had a continuous memory drain
since stupidly opening the first msg. in HTML and memory resources drain
eventually freeze my computer. I come up clean with both the Symantic and
Kaspersky removal tools however. One of the spoofed messages with R.E.s
return path was from Allison warning about klez and recommending the
Kaspersky Klez removal tool. I'd never heard about Kaspersky before. Makes
me seriously wonder about these AV companies. Create a problem and then
sell a solution.
I saved, without opening, one of the msgs. and submitted it to Kaspersky
on-line identification and they IDed it as Klez H. Ran their removal tool again,
which won't run from DOS, only from a 98 Dos prompt and again it came up
clean. I'm wondering now whether it might have removed some essential 98
file. Any ideas on solving this problem ?
A good lesson learned. Henceforth any list messages in non-ASCI format
either get deleted or sent back to sender. No exceptions. If you can't solve
your msg.sending problems because of your system at work or whatever ;
DON'T SEND it !!
Lawrence
I've just had a flock(5) of them and they all had
the same return line as
yours.
I use Pegasus which does not automatically open HTML. I stupidly opened
the first one but checking with both the Symantec and Kaspersky Klez tools
say I'm clean. They all vary in size but average around 150k. 2 were
supposedly from list members but the other 3 were unknown to me.
I guess it is harvesting Richards mail.
Lawrence
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com
At 07:29
PM 7/30/2002 -0700, Fred Cisin (XenoSoft) wrote:
>Can somebody more familiar with such confirm whether that is indeed
>Richard Erlacher's machine that sent the following copy of Klez? (Headers
>only follow)
On Tue, 30 Jul 2002, John Foust wrote:
One trick of Klez is that it harvests e-mail
addresses
from your mailboxes and uses them to spoof the From: line,
in order to make it seem (on casual inspection) that
person has the virus. They don't. Someone who received
mail from Erlacher (perhaps a list subscriber) has Klez.
NO. PLEASE look again. Dick's address is in the RETURN PATH line, NOT
the FROM line! It appears that Dick's computer is the one with
Klez, and it put a false FROM: of JPLCSCH(a)aol.com
MOST varieties of Klez put a bogus FROM:, but leave the
Return-Path: intact.
Return-Path: <edick(a)idcomm.com>
Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 20:17:29 -0600
Date: Tue, 30 Jul 2002 20:17:29 -0600
Message-Id: <200207310217.g6V2HSJ01036(a)mailhost.idcomm.com>
From: JPLCSCH <JPLCSCH(a)aol.com>
To: cisin(a)xenosoft.com
Subject: Dialog under
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q37LE02W0269aCiF037Kl967jS3g6
1:11 p.m.
New subject: OT: Re: Klez HELP ! (don't open if in any format) was Re: HEADERS?
Here's a trick for removing a virus from your Microsoft Windows system:
1. Reboot the computer into DOS mode
2. Issue the command: format /u c:
3. Install your favorite open source operating system
On Fri, 2 Aug 2002, Lawrence Walker wrote:
It seems that I did not escape Klez. I have had a
continuous memory drain
since stupidly opening the first msg. in HTML and memory resources drain
eventually freeze my computer. I come up clean with both the Symantic and
Kaspersky removal tools however. One of the spoofed messages with R.E.s
return path was from Allison warning about klez and recommending the
Kaspersky Klez removal tool. I'd never heard about Kaspersky before. Makes
me seriously wonder about these AV companies. Create a problem and then
sell a solution.
I saved, without opening, one of the msgs. and submitted it to Kaspersky
on-line identification and they IDed it as Klez H. Ran their removal tool again,
which won't run from DOS, only from a 98 Dos prompt and again it came up
clean. I'm wondering now whether it might have removed some essential 98
file. Any ideas on solving this problem ?
A good lesson learned. Henceforth any list messages in non-ASCI format
either get deleted or sent back to sender. No exceptions. If you can't solve
your msg.sending problems because of your system at work or whatever ;
DON'T SEND it !!
Lawrence
Sellam Ismail Vintage Computer Festival
------------------------------------------------------------------------------
International Man of Intrigue and Danger http://www.vintage.org
* Old computing resources for business and academia at www.VintageTech.com *
I've just had a flock(5) of them and they
all had the same return line as
yours.
I use Pegasus which does not automatically open HTML. I stupidly opened
the first one but checking with both the Symantec and Kaspersky Klez tools
say I'm clean. They all vary in size but average around 150k. 2 were
supposedly from list members but the other 3 were unknown to me.
I guess it is harvesting Richards mail.
Lawrence
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com
At 07:29
PM 7/30/2002 -0700, Fred Cisin (XenoSoft) wrote:
>Can somebody more familiar with such confirm whether that is indeed
>Richard Erlacher's machine that sent the following copy of Klez? (Headers
>only follow)
On Tue, 30 Jul 2002, John Foust wrote:
One trick of Klez is that it harvests e-mail
addresses
from your mailboxes and uses them to spoof the From: line,
in order to make it seem (on casual inspection) that
person has the virus. They don't. Someone who received
mail from Erlacher (perhaps a list subscriber) has Klez.
NO. PLEASE look again. Dick's address is in the RETURN PATH line, NOT
the FROM line! It appears that Dick's computer is the one with
Klez, and it put a false FROM: of JPLCSCH(a)aol.com
MOST varieties of Klez put a bogus FROM:, but leave the
Return-Path: intact.
Return-Path: <edick(a)idcomm.com>
Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 20:17:29 -0600
Date: Tue, 30 Jul 2002 20:17:29 -0600
Message-Id: <200207310217.g6V2HSJ01036(a)mailhost.idcomm.com>
From: JPLCSCH <JPLCSCH(a)aol.com>
To: cisin(a)xenosoft.com
Subject: Dialog under
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q37LE02W0269aCiF037Kl967jS3g6
6:18 p.m.
New subject: OT: Re: Klez HELP ! (don't open if in any format) was Re: HEADERS?
Thanks Sellam. You always were a smartass.
And if I delete the the years of collecting how-to's, in order to get my old
boxes working, I can simply refer folks to you claiming that now I have a
superior system running, I'm sure they will understand.
I guess NOW is the time to burn a CD before a HD failure or virus wipes it all.
Lawrence
Here's a trick for removing a virus from your Microsoft Windows system:
1. Reboot the computer into DOS mode
2. Issue the command: format /u c:
3. Install your favorite open source operating system
On Fri, 2 Aug 2002, Lawrence Walker wrote:
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com
It seems that I did not escape Klez. I have had
a continuous memory drain
since stupidly opening the first msg. in HTML and memory resources drain
eventually freeze my computer. I come up clean with both the Symantic and
Kaspersky removal tools however. One of the spoofed messages with R.E.s return
path was from Allison warning about klez and recommending the Kaspersky Klez
removal tool. I'd never heard about Kaspersky before. Makes me seriously
wonder about these AV companies. Create a problem and then sell a solution.
I saved, without opening, one of the msgs. and submitted it to Kaspersky
on-line identification and they IDed it as Klez H. Ran their removal tool
again, which won't run from DOS, only from a 98 Dos prompt and again it came
up clean. I'm wondering now whether it might have removed some essential 98
file. Any ideas on solving this problem ?
A good lesson learned. Henceforth any list messages in non-ASCI format
either get deleted or sent back to sender. No exceptions. If you can't solve
your msg.sending problems because of your system at work or whatever ;
DON'T SEND it !!
Lawrence
Sellam Ismail Vintage Computer Festival
------------------------------------------------------------------------------
International Man of Intrigue and Danger http://www.vintage.org
* Old computing resources for business and academia at www.VintageTech.com *
I've just had a flock(5) of them and they
all had the same return line as
yours.
I use Pegasus which does not automatically open HTML. I stupidly opened the
first one but checking with both the Symantec and Kaspersky Klez tools say
I'm clean. They all vary in size but average around 150k. 2 were supposedly
from list members but the other 3 were unknown to me.
I guess it is harvesting Richards mail.
Lawrence
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com
> At 07:29 PM 7/30/2002 -0700, Fred Cisin
(XenoSoft) wrote:
> >Can somebody more familiar with such confirm whether that is indeed
> >Richard Erlacher's machine that sent the following copy of Klez?
> >(Headers only follow)
On Tue, 30 Jul 2002, John Foust wrote:
> One trick of Klez is that it harvests e-mail addresses
> from your mailboxes and uses them to spoof the From: line,
> in order to make it seem (on casual inspection) that
> person has the virus. They don't. Someone who received
> mail from Erlacher (perhaps a list subscriber) has Klez.
NO. PLEASE look again. Dick's address is in the RETURN PATH line, NOT
the FROM line! It appears that Dick's computer is the one with Klez, and
it put a false FROM: of JPLCSCH(a)aol.com
MOST varieties of Klez put a bogus FROM:, but leave the
Return-Path: intact.
Return-Path: <edick(a)idcomm.com>
Received: from mailhost.idcomm.com (mailhost.idcomm.com [207.40.196.14])
by lmi.net (8.8.8/8.8.7) with ESMTP id TAA05488
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 19:17:42 -0700 (PDT)
Received: from Dqza (dsl-res156.idcomm.com [216.98.199.156])
by mailhost.idcomm.com (8.10.2/8.10.0) with SMTP id g6V2HSJ01036
for <cisin(a)xenosoft.com>om>; Tue, 30 Jul 2002 20:17:29 -0600
Date: Tue, 30 Jul 2002 20:17:29 -0600
Message-Id: <200207310217.g6V2HSJ01036(a)mailhost.idcomm.com>
From: JPLCSCH <JPLCSCH(a)aol.com>
To: cisin(a)xenosoft.com
Subject: Dialog under
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q37LE02W0269aCiF037Kl967jS3g6
lgwalker(a)mts.net
bigwalk_ca(a)yahoo.com 
1:46 p.m.
New subject: Klez HELP ! (don't open if in any format) was Re: HEADERS?
On Fri, 2 Aug 2002, Lawrence Walker wrote:
I saved, without opening, one of the msgs. and
submitted it to Kaspersky
on-line identification and they IDed it as Klez H. Ran their removal tool again,
which won't run from DOS, only from a 98 Dos prompt and again it came up
clean. I'm wondering now whether it might have removed some essential 98
file. Any ideas on solving this problem ?
If you have a 98 boot cd, boot from that to a DOS prompt. load the
klez-kleener off the hard drive. If the removal tool won't run in a
clean-boot environment, it's NOT a removal tool.
I open virus emails to see what's in 'em. I love my Pine...
Doc
4 Aug
4 Aug
2:03 a.m.
New subject: Klez HELP ! (don't open if in any format) was Re: HEADERS?
Lawrence Walker wrote:
It seems that I did not escape Klez. I have had a
continuous memory drain
since stupidly opening the first msg. in HTML and memory resources drain
eventually freeze my computer. I come up clean with both the Symantic and
Kaspersky removal tools however. One of the spoofed messages with R.E.s
return path was from Allison warning about klez and recommending the
Kaspersky Klez removal tool. I'd never heard about Kaspersky before. Makes
me seriously wonder about these AV companies. Create a problem and then
sell a solution.
<snip>
Reminds me of that Farside cartoon where a guy is sitting in his living
room reading a wrinkled piece of paper. His window has been broken and
there's a brick on the floor in front of him. The piece of paper reads
"Brick thrown through your window? Call Rick's Window Repair."
Mike
8181
days inactive
8186
days old
9 comments
6 participants
participants (6)
-
celt@chisp.net -
cisin@xenosoft.com -
doc@mdrconsult.com -
foo@siconic.com -
jfoust@threedee.com -
lgwalker@mts.net