From: Selden E Ball Jr (SEB@LNS62.LNS.CORNELL.EDU)
Date: Fri Aug 30 2002 - 16:40:58 CDT
Gentle PhilPholk,
I'm sorry to have to bother all of you, but...
If you live in Michigan and use COMCAST as your Internet provider,
*please* get a copy of a current Anti-Virus product, update its
virus signatures to the most recent version and use it to scan
your PC's hard drives for viruses. That'd be a good idea even
if you don't live there :-)
Over the past few weeks I've received several messages from
some PhilPhan's PC that are infected with the KLEZ virus.
I've already contacted the people who I know live in Michigan,
but their systems seem to be clean.
Since the KLEZ virus forges the return address and other information
in the message header, it's rather difficult to determine what system
these messages actually are coming from. However, since I suspect
that others may be receiving similar messages, I thought it would
be best to warn you all of this problem.
The header of the most recent such message (received just a few minutes
ago) included this line:
> Received: from Nccgx (bgp934461bgs.brmngh01.mi.comcast.net [68.40.196.35])
> by mtaout04.icomcast.net
> (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 13 2002))
> with SMTP id <0H1O002XZEQPNC@mtaout04.icomcast.net> for
> seb@lns62.lns.cornell.edu; Fri, 30 Aug 2002 17:37:47 -0400 (EDT)
The gibberish PC name (Nccgx) is one of the symptoms of KLEZ,
but the IP name and address (bgp934461bgs.brmngh01.mi.comcast.net
[68.40.196.35]) were valid at 17:37:47, when the message was accepted by
the mail server mtaout04.icomcast.net.
The forged "From" address is
> From: philptc <philptc@cimarron.springercoop.com>
which means that the infected system has that address in
a file somewhere on the disk where KLEZ could find it, possibly
in an "address book".
Thanks for your help in this matter.
Selden
======
Selden E. Ball, Jr.
Cornell University Voice: +1-607-255-0688
Laboratory for Elementary-Particle Physics FAX: +1-607-255-8062
LT105 R. R. Wilson Laboratory http://www.lns.cornell.edu/~seb/
Dryden Road Internet: SEB@LNS.CORNELL.EDU
Ithaca, NY, USA 14853-8001 HEPnet/SPAN: LNS62::SEB = 44284::SEB
-------------------------------------------------------
Scouting E-mail Discussion Lists @ usscouts.org
Subscribe/Unsubscribe at http://usscouts.org/lists/
Listserv Commands at http://usscouts.org/lists/lc.asp
-------------------------------------------------------
Send listserv commands to: listserv@troop47.com
Send postings to: philmont@troop47.com
List FAQ found at: http://usscouts.org/lists/faq.asp
List Administrator: philmont_owner@troop47.com
-------------------------------------------------------
As you gather around this virtual campfire with fellow
Scouts and Scouters, do your best to be trustworthy,
loyal, helpful, friendly, courteous, kind, obedient,
cheerful, thrifty, brave, clean and reverent.
-------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Thu Mar 13 2003 - 10:37:27 CST