RE: Virus - Mass Mailing
Its most likely Klez. When a computer is infected, it will grab an email addy out of the infected machines address book, then send the virus with that persons addy in the from field. So it looks like it came from somewhere else. The headers tell the truth though. We get a couple of complaints each week. -Original Message- From: sui seto [mailto:[EMAIL PROTECTED]] Sent: Monday, June 17, 2002 9:57 PM To: MS-Exchange Admin Issues Subject: Virus - Mass Mailing Hi All, I have a user who resigned a couple of months ago and I disabled his account on NT and removed his SMTP address from the system. (for example, [EMAIL PROTECTED]). One day, he called telling me that his frient recevied a email from him (from the address [EMAIL PROTECTED]) and that email was infected with virus. He aksed me why this happened. I don't know the answer. His account has been disabled and his eamil account ([EMAIL PROTECTED]) has also been deleted from the system (we are using Exchange 5.5). Is this something to do with mass mailing by the virus. In other words, if a pc is infected with an email virus and my user's email address is on the address book, the virus will impersonate my user using hisaddress, eg. [EMAIL PROTECTED] and send a virus infected email to other people on the adress book. Is this possible? I am confused. Thanks for your information. Sui List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Virus - Mass Mailing
Thanks Martin. How about the To field? Will the virus grab the address from the same address book (randomly) and puts it in the To field?? That is what I am curios to know. I already asked the user to send me the email if it has not been deleted. Sui > Its most likely Klez. When a computer is infected, it will grab an email > addy out of the infected machines address book, then send the virus with > that persons addy in the from field. > So it looks like it came from somewhere else. The headers tell the truth > though. > > We get a couple of complaints each week. > > -Original Message- > From: sui seto [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 17, 2002 9:57 PM > To: MS-Exchange Admin Issues > Subject: Virus - Mass Mailing > > > Hi All, > > I have a user who resigned a couple of months ago and I disabled his > account on NT and removed his SMTP address from the system. (for example, > [EMAIL PROTECTED]). One day, he called telling me that his frient recevied a > email from him (from the address [EMAIL PROTECTED]) and that email was infected > with virus. He aksed me why this happened. I don't know the answer. His > account has been disabled and his eamil account ([EMAIL PROTECTED]) has also > been deleted from the system (we are using Exchange 5.5). Is this > something to do with mass mailing by the virus. In other words, if a pc is > infected with an email virus and my user's email address is on the address > book, the virus will impersonate my user using hisaddress, eg. > [EMAIL PROTECTED] and send a virus infected email to other people on the adress > book. Is this possible? I am confused. > > Thanks for your information. > > Sui > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Virus - Mass Mailing
yes -Original Message- From: sui seto [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 9:41 AM To: MS-Exchange Admin Issues Subject: RE: Virus - Mass Mailing Thanks Martin. How about the To field? Will the virus grab the address from the same address book (randomly) and puts it in the To field?? That is what I am curios to know. I already asked the user to send me the email if it has not been deleted. Sui > Its most likely Klez. When a computer is infected, it will grab an email > addy out of the infected machines address book, then send the virus with > that persons addy in the from field. > So it looks like it came from somewhere else. The headers tell the truth > though. > > We get a couple of complaints each week. > > -Original Message- > From: sui seto [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 17, 2002 9:57 PM > To: MS-Exchange Admin Issues > Subject: Virus - Mass Mailing > > > Hi All, > > I have a user who resigned a couple of months ago and I disabled his > account on NT and removed his SMTP address from the system. (for example, > [EMAIL PROTECTED]). One day, he called telling me that his frient recevied a > email from him (from the address [EMAIL PROTECTED]) and that email was infected > with virus. He aksed me why this happened. I don't know the answer. His > account has been disabled and his eamil account ([EMAIL PROTECTED]) has also > been deleted from the system (we are using Exchange 5.5). Is this > something to do with mass mailing by the virus. In other words, if a pc is > infected with an email virus and my user's email address is on the address > book, the virus will impersonate my user using hisaddress, eg. > [EMAIL PROTECTED] and send a virus infected email to other people on the adress > book. Is this possible? I am confused. > > Thanks for your information. > > Sui > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Virus - Mass Mailing
Title: RE: Virus - Mass Mailing Klex grabs from Abs and Temp Internet Files -Original Message- From: William Lefkovics [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 01:05 To: MS-Exchange Admin Issues Subject: RE: Virus - Mass Mailing Could be a few things. Some viruses klez the senders address. Also, I can send email to you from him too. The full headers are needed from him to explain further. -Original Message- From: sui seto [mailto:[EMAIL PROTECTED]] Sent: Monday, June 17, 2002 9:57 PM To: MS-Exchange Admin Issues Subject: Virus - Mass Mailing Hi All, I have a user who resigned a couple of months ago and I disabled his account on NT and removed his SMTP address from the system. (for example, [EMAIL PROTECTED]). One day, he called telling me that his frient recevied a email from him (from the address [EMAIL PROTECTED]) and that email was infected with virus. He aksed me why this happened. I don't know the answer. His account has been disabled and his eamil account ([EMAIL PROTECTED]) has also been deleted from the system (we are using Exchange 5.5). Is this something to do with mass mailing by the virus. In other words, if a pc is infected with an email virus and my user's email address is on the address book, the virus will impersonate my user using hisaddress, eg. [EMAIL PROTECTED] and send a virus infected email to other people on the adress book. Is this possible? I am confused. Thanks for your information. Sui List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm
RE: Virus - Mass Mailing
Yep. I then sends to everyone in the users contacts folder. -Original Message- From: sui seto [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 18, 2002 6:41 AM To: MS-Exchange Admin Issues Subject: RE: Virus - Mass Mailing Thanks Martin. How about the To field? Will the virus grab the address from the same address book (randomly) and puts it in the To field?? That is what I am curios to know. I already asked the user to send me the email if it has not been deleted. Sui > Its most likely Klez. When a computer is infected, it will grab an > email addy out of the infected machines address book, then send the > virus with that persons addy in the from field. So it looks like it > came from somewhere else. The headers tell the truth though. > > We get a couple of complaints each week. > > -Original Message- > From: sui seto [mailto:[EMAIL PROTECTED]] > Sent: Monday, June 17, 2002 9:57 PM > To: MS-Exchange Admin Issues > Subject: Virus - Mass Mailing > > > Hi All, > > I have a user who resigned a couple of months ago and I disabled his > account on NT and removed his SMTP address from the system. (for > example, [EMAIL PROTECTED]). One day, he called telling me that his frient > recevied a email from him (from the address [EMAIL PROTECTED]) and that > email was infected with virus. He aksed me why this happened. I don't > know the answer. His account has been disabled and his eamil account > ([EMAIL PROTECTED]) has also been deleted from the system (we are using > Exchange 5.5). Is this something to do with mass mailing by the virus. > In other words, if a pc is infected with an email virus and my user's > email address is on the address book, the virus will impersonate my > user using hisaddress, eg. [EMAIL PROTECTED] and send a virus infected > email to other people on the adress book. Is this possible? I am > confused. > > Thanks for your information. > > Sui > > List Charter and FAQ at: > http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm