RE: Klez.H attack

  • From: Matt Dillingham <mdilling@xxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>, aorlowski@xxxxxxxxxxx
  • Date: Tue, 21 May 2002 14:08:48 -0400

aorlowski@xxxxxxxxxxx wrote:
> Well Said Matt. I love Antigen, however has your campus received hundreds of
> hits lately. Our college has. I am not real worried about because of antigen
> cleans all of these out, but it seems to me that these hits are not a good
> sign. We are also filtering exe,scr,etc.. all seems to work well.
> Allen Orlowski
> MCP, A+, Network +
> aorlowski@xxxxxxxxxxx <mailto:aorlowski@xxxxxxxxxxx>


Yeah, we have been seeing a ton of these being filtered/purged.  I would say 
lately, that Klez.X (usually coupled with a HTML/MimeExploit.IFRAME alert) has 
been making up about 95%+ of our virus traffic.  I suspect that the reason that 
this virus is so persistent and is seeming to spread so well is because of the 
spoofed SENDER field.  it is very difficult to track down where the virus 
originated from.

if i could not scan everyone's mailbox, i would be pretty nervous.

Does anyone know a practical way to actually track the real sender down?  with 
antigen, it can automatically send alerts to any infected external or internal 
senders, once detected.  the alerts are a completely automated, customizable 
email message.  unfortunately, i have had to disabled this feature right now 
because it is useless with klez.  since the SENDER field is forged, antigen 
will send the klez alerts to the randomly selected person in the SENDER field, 
which is just a random address from the infected person's addressbook.

anyone have any ideas about how to track down and alert these people?


PS> Allen- Just curious... what college do you work for?
 Matt Dillingham                        Systems Administrator II
           University of Michigan, Bioinformatics

> -----Original Message-----
> From: Matt Dillingham [mailto:mdilling@xxxxxxxxx]
> Sent: Tuesday, May 21, 2002 12:04 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Klez.H attack
> Denise Dorrance wrote:
> >
> > What exactly is Antigen?  Is it a virus software or an Anti-spam
> software??
> >
> Denise-
> Antigen is an antivirus engine that can scan all writes to the exchange
> information store (mailboxes, ect) in real-time, can scan inside the store
> (as a scheduled task, on demand, ect), and can scan and intercept messages
> being sent across the SMTP virt-server (incoming and outgoing) in real-time.
> since we have installed it and cleaned the information store for the first
> time, we have not had ANY viruses actually infect anyone's mailbox.
> everything has been stopped as incoming SMTP traffic.
> i dont know if there is any other solution out there that will work as well
> or better than antigen... because once i tried this, i stopped looking.  i
> highly recommend it.
> -matt
> PS> however, it does not intercept spam... unless it has a virus- heh heh.
> PS> also, i forgot to mention, antigen also has file filtering capability
> (block all .exe & .scr, ect), but we are not using it.  i do know some
> people that are, and i have heard that it works fine.
> --
> __________________________________________________________________
>  Matt Dillingham                        Systems Administrator II
>            University of Michigan, Bioinformatics

Other related posts: