Date: Wed, 31 Jul 2002 05:00:24 +0000 From: "Matthew Hanson" <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc
>From: Raymond <[EMAIL PROTECTED]> > >In fact, it just occurs to me, this virus isn't Outlook specific anyway. It >has it's own email sending code so once it infects a computer, it looks for >ALL address books regardless of if you use Outlook, Eudora, Netscape or any >webmail service (assuming you've got a cached local copy of your address >book) and spoofs one to send to the rest. Not only address books, it goes through many (all??) other of the system's files looking for email addresses: http://bulletin.ninemsn.com.au/bulletin/eddesk.nsf/All/A3D3842B1C03DC94CA256B640019A051 "Once Klez has infected you it scours your computer's hard drive looking for email addresses. The addresses don't need to be anywhere in particular; they might be in a word-processing document, a memo or even in your email address book." I wonder if Klez is gleaning email addresses from the temporary Internet files dir: C:\Windows\Temporary Internet Files For kicks I did a search on that folder and subs for my email address and came up with 65 results. I noticed that Hotmail leaves files there named: getmsg[#].html. So I did a search there for getmsg*.html, then sorted them by time/date, and came up with Hotmail messages from the list from the following list members: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Now I can reason out how my address and Ehud Barak’s email address may have been found on the same computer if Klez is able to go through more than just an email program’s files. Some NetVision user and list member could have been reading a local newspaper article online. S(M) _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ************************************************************** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives -------TO UNSUBSCRIBE------- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe --------TO UNSUBSCRIBE DIGEST------ Do above but with this on subject line: cmd:unsubscribe digest **************************************************************