Hi! I got an email fron my father today, that he got from???. The from says its from my sister, who shares the PC with my Dad. The email actually came from My sister in law in Florida. There was a doc. attached [Word]. When My Dad got this email there was a virus and it was cleaned up. He sent the email to me, because the names and addresses in the email are my husband's family.

I called my BIL to see how my Dad got the email. He thought he might have a virus because his PC kept freezing on him...and he got a blue screen of death.

Anyway, neither he nor my s-i-l know my father's address. I guess that they my have gotten Dad's email when I sent them an email over a yr. ago, with Dad's email address CC'ed. My B I L told me that the list was on the h/d of a PC that was NOT WORKING and wasn't even plugged in. He said that they did have some files transferred to the new PC but that he couldn't find the file that was mailed to my Dad. He also said that his wife had NEVER put the list in an email or as an attachment to an email.

My question is: Is there anyway to find out who sent this email? Both my B-i-l and S-i-l insist that they didn't send it and have no idea how my Dad got it.

Any ideas?

Thanks!


Karen Wagner

Sure sounds like it could be Klez (or one of about a dozen more......)

The problem with these kinds of emails is the source could actually be someone not connected with your family at all, or some relative that may have a copy of the list from over a year ago, etc.

Klez picks random files to attach to and then send (if doesn't find something good it makes one up). Then it just spams your (infected machines) address book.

Also it spoofs the from address.

If you haven't already done so, you probably need to check your own system. When the Klez or similar infections get into a system they send themselves out to all the addresses in the address book. Since you are apparently in their address book, you probably got sent a copy and if it infected your system, it could have then gone to your father if he is in your address book. Or it could have gone through another family member or friend who was in the infected computer's address book and also had your father's email address. Nasty stuff these viruses.....:mad: :(

I don't have the virus. I moved and changed my email. Dad's AVG [I have this AV too] caught it. So did his ISP AV. So we are both clean. I called family tonight after i figured out that he [Bil] had the virus and told them not to open any mails from him.


This is the IP address it came from: Is there a program I can use to see if it did come from my BIL?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~

X-BLTSYMAVREINSERT: hbZfmUBK1T7tqWSs64VnXlDiDh0A


This message has been processed by Brightmail(TM) Anti-Virus using
Symantec's Norton AntiVirus Technology.

NOTICE: One or more files attached to this message were found to contain a malicious virus and have been removed by the Brightmail Anti-Virus Solution provided by TDS Internet Services.


For more information on anti-virus tips and technology, visit
http://www.brightmail.com/antivirus
Received: from [206.46.170.96] by bm4.mail.(bmifilter);
Wed, 12 Feb 2003 12:57:23 CST
Received: from Fcvfeap ([66.177.97.61]) by out018.verizon.net
(InterMail vM.5.01.05.20 201-253-122-126-120-20021101) with SMTP
id <20030212185718.ZNTM11888.out018.verizon.net@Fcvfea p>
for Wed, 12 Feb 2003 12:57:18 -0600


Subject: Congratulations
MIME-Version: 1.0
Message-Id: <20030212185718.ZNTM11888.out018.verizon.net@Fcvfea p>
Date: Wed, 12 Feb 2003 12:57:22 -0600
Content-Type: multipart/alternative; x-avg-checked=avg-ok-65D87C21; boundary=LUOnJIB4vRY0piv4U9u32I656e


I removed my sister's and father's email addresses, other than that, this is what they got.

Thanks!

The problem is that if a computer has eMail addresses on it anywhere theb the newer viruses will search for them (in address books, old messages, web pages, word documents, etc) and will harvest these not only to "send to" but also will use them to make it appear as if they came from one of them!! They spoof/lie/counterfeit who they "appear" to come from.

If you cant relate the IP address of the lowest-down "From:" address in the eMails headers to a source known to you (very difficult since most ordinary users have dynamic IP addresses) there is no way of identifying which computer actually sent them.

To make this clear. You and I have, say, sent an eMail to X in Australia. X gets infected. The virus sends the infected mail to me but "says" that it comes from you.

Better than telling people to not open mails from someone is to use a personalised subject line that a virus would not have created.