E-mail Spoofing Viruses                   Print This Page
From Symantec Norton Antivirus
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html

This is a description of how some viruses can send messages with viruses attached from YOUR PC to others, and you will not even know about it. If your PC has a virus that does "e-mail spoofing", your PC can send a message to someone you don't even know, and make it appear to be from someone else you also do not know. This example is one of the most common viruses I have seen recently on PCs in our area, the W32.Klez.H@mm virus.  The suffix @mm on the end of a virus name means it is a "mass-mailing" virus.

These types of viruses search your address book and local files for email addresses. It may find and use e-mail addresses on web pages you have looked it recently, that are now stored on your PC in your Temporary Internet Files. The virus sends an email message to these addresses with itself as an attachment.  The subject line, message bodies, and attachment file names are random.

There are many viruses with this type of capability. The one described here is one of the most common, discovered in April, 2002. After reading the summary below, if you are interested in more details, you can click on
the link above.

In addition to keeping your virus software updated, I recommend setting your Internet Explorer Temporary Internet Files size to about 5 MB, and in the Advanced section, check the box to "empty temporary internet files on exit". 

These viruses often uses a technique known as "spoofing." When it performs its email routine. it can use a randomly chosen address that it finds on an infected computer as the "From:" address, numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.

For example, Linda Anderson is using a computer that is infected with W32.Klez.H@mm. Linda is not using a antivirus program or does not have up-to-date virus definitions. When the W32.Klez.H@mm virus performs its emailing routine, it finds the email address of Harold Logan on Linda's PC. It inserts Harold's email address into the "From:" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.

There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your email address is jsmith@anyplace.com, you could receive a message that appears to be from postmaster@anyplace.com, indicating that you attempted to send email and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.

The message may be disguised as an immunity tool.
One version of this false message is as follows:

"Klez.E is the most common world-wide spreading worm. It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.

NOTE: Because this tool acts as a fake Klez to fool the real worm, some AV monitor maybe cry when you run it. If so,Ignore the warning,and select 'continue'. If you have any question,please mail to me.
"

If the message is opened in an unpatched version of Microsoft Outlook or Outlook Express, the attachment may be automatically executed (and you would get the virus). Information about this vulnerability in Outlook and Outlook Express, and a security patch are available at:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Many Internet Providers are not allowing attachments that could be viruses to be passed through their e-mail systems. Examples are files that end with suffixes of .EXE, .PIF, SCR, DLL, .COM. are stripped from the message, and the user will receive the e-mail without the attachment.  If there was no text in the message, it appears to be a blank message. Messages sent by viruses that use e-mail spoofing can be detected by looking at the message header information. At the very end of the e-mail header, there will be a line that says "Apparently From JackFrost@aol.com (the e-mail address that REALLY sent the message and HAS the virus - JackFrost here is a fictitious name!)  See the example below, which at one place says it was sent by one user ( Beespike99@aol.com ). If I did a REPLY to the message it would be sent to bush77@verizon.net , who does NOT have a virus. And Beespike99@aol.com  does not have a virus either.  Unless you look in the message header you will only see who it APPEARS to be from, not who it REALLY is from ( Tina55@aol.com in this case, has the virus). (The associated e-mail addresses were changed to protect the actual owners - this is a real example, otherwise. Other addresses below are part of the e-mail routing systems and are not actual addresses).

Message Header Example, sent by an e-mail spoofing virus:
 
Return-Path: <cyrus@grampa.ntelos.net>
X-Sieve: cmu-sieve 2.0
Return-Path: <bush77@verizon.net>
Received: from mailrtr05.ntelos.net (mailrtr05.ntelos.net [216.12.0.105])
by grampa.ntelos.net (8.12.1/8.12.1) with ESMTP id gAINSZkk032537
for <llewis@grampa.ntelos.net>; Mon, 18 Nov 2002 18:28:35 -0500
Received: from rly-ip03.mx.aol.com (rly-ip03.mx.aol.com [64.12.138.7])
by mailrtr05.ntelos.net (8.12.2/8.12.2) with ESMTP id gAINSZJH007907
for <larry222@bhsbees.com>; Mon, 18 Nov 2002 18:28:35 -0500
Received: from logs-mtc-tl.proxy.aol.com (logs-mtc-tl.proxy.aol.com [64.12.107.135]) by rly-ip03.mx.aol.com (v89.10) with ESMTP id RELAYIN1-1118182818; Mon, 18 Nov 2002 18:28:18 -0400
Received: from Posu (ACA5E712.ipt.aol.com [172.165.231.18])
by logs-mtc-tl.proxy.aol.com (8.10.0/8.10.0) with SMTP id gAINMEM87146
for <larry222@bhsbees.com>; Mon, 18 Nov 2002 18:22:15 -0500 (EST)
Date: Mon, 18 Nov 2002 18:22:15 -0500 (EST)
Message-Id: <200211182322.gAINMEM87146@logs-mtc-tl.proxy.aol.com>
From: Beespike99 <Beespike99@aol.com>
To: larry222@bhsbees.com
Subject: 03h in Msvfw32.dll.
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=UgC8092lRX957t41B24fw12c3Xo812
X-Apparently-From: TINA55@aol.com