Re: "Undelivered Mail..."
by "Mike" <ironmike(at)inav.net>
|
| Date: |
Sun, 9 Jun 2002 20:40:31 -0500 |
| To: |
"Techniques" <hwg-techniques(at)hwg.org> |
| References: |
o4u7d1 |
| |
todo: View
Thread,
Original
|
|
I'd like to make one thing clear: Klez does not always go about with the
".exe" extension. I currently have a sample from that same son-in-law with
".pif" and ".bat" and ".txt" extensions on the attachments. The first two
were a dead giveaway that something was wrong because he doesn't have enough
computer savy to use these DOS extensions.
Three of the four samples I currently have with his email username have isp
designations that I know for a certainty are not his -- another giveaway.
It has been suggested that all real emails between two infected systems
start with a known key phrase to verify the contents as a real message and
to identify emails with legitimate attachments. I don't know if this will
work or not, so I make no recommendation one way or another. It seems that
it might work in the short run, though....
All the samples of Klez I have seen on my computer have blank messages or
very short messages of the form:
Try this. It's just
what you need.
Very short, very square in appearance, and no signature. Again, that's just
my experience, not a rule.
Mike Hopkins
ironmike(at)inav.net
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA