RE: Klez.H attack

  • From: Meral KESKINER <MeralK@xxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 23 May 2002 12:34:27 +0300

        You can use Content Filtering and add the all subject lines below.
And also you can find Sybari's recommandations at for file filtering.

Undeliverable mail--"[Random word]" 
Returned mail--"[Random word]" 
a [Random word] [Random word] game 
a [Random word] [Random word] tool 
a [Random word] [Random word] website 
a [Random word] [Random word] patch 
[Random word] removal tools 
how are you 
let's be friends 
so cool a flash,enjoy it 
your password 
some questions 
please try again 
welcome to my hometown 
the Garden of Eden 
introduction on ADSL 
meeting notice 
japanese girl VS playboy 
look,my beautiful girl friend 
eager to see you 
spice girls' vocal concert 
japanese lass' sexy pictures


-----Original Message-----
From: Matthew Payne [mailto:mattp@xxxxxxxxxxxxxx]
Sent: 23 Mayis 2002 Persembe 12:25
To: [ExchangeList]
Subject: [exchangelist] RE: Klez.H attack - Re-Vamped!

Hmmm Having read all of your antigen comment s I've decided to change from
Trend ScanMail. What filers should I sensibly apply to antigen?

-----Original Message-----
From: Matt Dillingham [mailto:mdilling@xxxxxxxxx] 
Sent: 21 May 2002 19:09
To: [ExchangeList]
Subject: [exchangelist] RE: Klez.H attack

aorlowski@xxxxxxxxxxx wrote:
> Well Said Matt. I love Antigen, however has your campus received 
> hundreds of hits lately. Our college has. I am not real worried about 
> because of antigen cleans all of these out, but it seems to me that 
> these hits are not a good sign. We are also filtering exe,scr,etc.. 
> all seems to work well.
> Allen Orlowski
> MCP, A+, Network +
> aorlowski@xxxxxxxxxxx <mailto:aorlowski@xxxxxxxxxxx>


Yeah, we have been seeing a ton of these being filtered/purged.  I would say
lately, that Klez.X (usually coupled with a HTML/MimeExploit.IFRAME alert)
has been making up about 95%+ of our virus traffic.  I suspect that the
reason that this virus is so persistent and is seeming to spread so well is
because of the spoofed SENDER field.  it is very difficult to track down
where the virus originated from.

if i could not scan everyone's mailbox, i would be pretty nervous.

Does anyone know a practical way to actually track the real sender down?
with antigen, it can automatically send alerts to any infected external or
internal senders, once detected.  the alerts are a completely automated,
customizable email message.  unfortunately, i have had to disabled this
feature right now because it is useless with klez.  since the SENDER field
is forged, antigen will send the klez alerts to the randomly selected person
in the SENDER field, which is just a random address from the infected
person's addressbook.

anyone have any ideas about how to track down and alert these people?


PS> Allen- Just curious... what college do you work for?
 Matt Dillingham                        Systems Administrator II
           University of Michigan, Bioinformatics

> -----Original Message-----
> From: Matt Dillingham [mailto:mdilling@xxxxxxxxx]
> Sent: Tuesday, May 21, 2002 12:04 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Klez.H attack
> Denise Dorrance wrote:
> >
> > What exactly is Antigen?  Is it a virus software or an Anti-spam
> software??
> >
> Denise-
> Antigen is an antivirus engine that can scan all writes to the 
> exchange information store (mailboxes, ect) in real-time, can scan 
> inside the store (as a scheduled task, on demand, ect), and can scan 
> and intercept messages being sent across the SMTP virt-server 
> (incoming and outgoing) in real-time.
> since we have installed it and cleaned the information store for the 
> first time, we have not had ANY viruses actually infect anyone's 
> mailbox. everything has been stopped as incoming SMTP traffic.
> i dont know if there is any other solution out there that will work as 
> well or better than antigen... because once i tried this, i stopped 
> looking.  i highly recommend it.
> -matt
> PS> however, it does not intercept spam... unless it has a virus- heh 
> PS> heh.
> PS> also, i forgot to mention, antigen also has file filtering 
> PS> capability
> (block all .exe & .scr, ect), but we are not using it.  i do know some 
> people that are, and i have heard that it works fine.
> -- __________________________________________________________________
>  Matt Dillingham                        Systems Administrator II
>            University of Michigan, Bioinformatics

You are currently subscribed to this Discussion List as:
mattp@xxxxxxxxxxxxxx To unsubscribe send a blank email to

You are currently subscribed to this Discussion List as:
To unsubscribe send a blank email to

Other related posts: