Date: Wed, 31 Jul 2002 05:00:24 +0000 From: "Matthew Hanson" <[EMAIL PROTECTED]> Subject: RE: [LIB] Klez/etc
>From: Raymond <[EMAIL PROTECTED]> > >In fact, it just occurs to me, this virus isn't Outlook specific anyway. It >has it's own email sending code so once it infects a computer, it looks for >ALL address books regardless of if you use Outlook, Eudora, Netscape or any >webmail service (assuming you've got a cached local copy of your address >book) and spoofs one to send to the rest. Not only address books, it goes through many (all??) other of the system's files looking for email addresses: http://bulletin.ninemsn.com.au/bulletin/eddesk.nsf/All/A3D3842B1C03DC94CA256B640019A051 "Once Klez has infected you it scours your computer's hard drive looking for email addresses. The addresses don't need to be anywhere in particular; they might be in a word-processing document, a memo or even in your email address book." I wonder if Klez is gleaning email addresses from the temporary Internet files dir: C:\Windows\Temporary Internet Files For kicks I did a search on that folder and subs for my email address and came up with 65 results. I noticed that Hotmail leaves files there named: getmsg[#].html. So I did a search there for getmsg*.html, then sorted them by time/date, and came up with Hotmail messages from the list from the following list members: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Now I can reason out how my address and Ehud Barak�s email address may have been found on the same computer if Klez is able to go through more than just an email program�s files. Some NetVision user and list member could have been reading a local newspaper article online. S(M) _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com ************************************************************** http://libretto.basiclink.com - Libretto mailing list http://www.silverace.com/libretto/ - Archives -------TO UNSUBSCRIBE------- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe --------TO UNSUBSCRIBE DIGEST------ Do above but with this on subject line: cmd:unsubscribe digest **************************************************************
