link to Home Page

Virus Forgery: KlezE, Ekern


On or about May 7, 2002 Nancy began receiving email from [email protected] to [email protected] with all the signatures of an email carrying the KlezE virus. Another clue that this is a forgery is the use of upper case. Mail from ZetaTalk under that email addy is always lower case, as [email protected]. These infected forgeries were never sent from the computer where email from Nancy is sent, nor has this computer ever been infected by:

KlezE
KlezH
EKern

This is a forgery, created by the virus which occasionally spoofs. Please use the Contact Nancy form, a link from the ZetaTalk home page, which does not allow attachments, to open a dialog with Nancy.

The W32.Klez.gen@mm virus has an ability to use an address other than 
the infected computer, thus making it impossible to tell the infected party 
that they are infected. The explanation from the Symantic website:

Some variants of this worm use a technique known as "spoofing." If it does 
this, it chooses at random an address that it finds on an infected computer 
as the "From:" address that it uses when it performs its mass-mailing 
routine. Numerous cases have been reported in which users of uninfected 
computers receive complaints that they have sent an infected message to 
someone else.
 
For example, Linda Anderson is using a computer that is infected with 
W32.Klez.E@mm; Linda is not using a antivirus program or does not have 
current virus definitions. When W32.Klez.gen@mm performs its emailing 
routine, it finds the email address of Harold Logan. It inserts Harold's 
email address into the "From:" line of an infected email that it then sends 
to Janet Bishop. Janet then contacts Harold and complains that he sent her 
infected email, but when Harold scans his computer, Norton AntiVirus does 
not find anything - as would be expected - because his computer is not infected.