| Infected Emails Forge Their Origin
A customer alerted us that an email message with the word "SUCCESS" in the subject line, which appeared to originate from
WiNRADiO, contained a virus in its attachment. We were rather surprised by this, because we have never sent such a message to this customer.
We also never send out any unsolicited mailings, and all our computer systems are protected by
the latest antivirus software.
After having checked our email logs, a curious picture emerged: While we have been receiving various virus-infested messages
frequently and regularly, there appears to have been a spate of attacks by one particular type of nasty virus, which appears to be spreading by email
within the radio community; manufacturers, dealers, radio stations and radio operators.
Checking our logs, we found that our virus protection software recently identified and quarantined several such virus attacks,
all appearing to have arrived from various other radio manufacturers, dealers, radio operators or broadcasters.
Here are a few examples:
From: sales@tentec.com
To: sales@winradio.net.au
Date: Mon, 25 Mar 2002 00:21:42 -0500 (EST)
Subject: Have a humour Lady Day
----------------------------------------------------------------------------
This file: "Unknown05b6.data" was infected with the: "W32.Klez.E@mm" virus.
The file was quarantined by Norton AntiVirus. Monday, March 25, 2002 16:57
|
From: denverradio@dejazzd.com
To: sales@winradio.net.au
Date: Wed, 27 Mar 2002 23:09:12 -0500 (EST)
Subject: Border
----------------------------------------------------------------------------
This file: "Unknown05be.data" was infected with the: "W32.Klez.E@mm" virus.
The file was quarantined by Norton AntiVirus. Thursday, March 28, 2002 15:58
|
From: info@aoruk.com
To: sales@winradio.net.au
Date: Fri, 29 Mar 2002 04:08:38 -0500 (EST)
Subject: Target
----------------------------------------------------------------------------
This file: "Unknown0588.data" was infected with the: "W32.Klez.E@mm" virus.
The file was quarantined by Norton AntiVirus. Friday, March 29, 2002 20:25
|
From: grundig@grundig.co.uk
To: sales@winradio.net.au
Date: Sun, 31 Mar 2002 15:43:41 -0500 (EST)
Subject: Vickers
----------------------------------------------------------------------------
This file: "Unknown0573.data" was infected with the: "W32.Klez.E@mm" virus.
The file was quarantined by Norton AntiVirus. Monday, April 01, 2002 09:21
|
At the first glance, it appeared like we were under a co-ordinated massive attack by our competitors!
But of course we dismissed such a crazy idea quickly; the relationships in the radio industry are usually very cordial and respectful.
Nevertheless, we did advise the suspected "senders" that we had received these messages and suggested they check their
email systems for viruses.
And then even stranger things started to happen: We started receiving messages from various servers, stating that our own
virus-infected messages (which we never sent) had been rejected by those servers:
From: postmaster@accir.com
To: info@winradio.net.au
Date: Thu, 18 Apr 2002 09:24:08 +0430
Subject: MDaemon Warning - Virus Found
--
The following message had attachment(s) which contained viruses:
From : info@winradio.net.au
To : para@accir.com
Subject : RGLDINSERT end
Date : Thu, 18 Apr 2002 13:53:27 +0800 (CST)
Message-ID: <200204180553.NAA10411@msr.hinet.net>
Attachment Virus name Action taken
---------------------------------------------------------------------------
cf1090611200.att Exploit.IFrame.FileDownload Removed
|
From: NAVMSE-SERVER3@icomuk.co.uk
To: sales@winradio.net.au
Date: Sat, 30 Mar 2002 02:04:42 -0000
Subject: Norton AntiVirus detected a virus in a message you sent.
---------------------------------------------------------------------------
Recipient of the infected attachment: icomsales\Inbox
Subject of the message: Japanese girl VS playboy
One or more attachments were quarantined.
Attachment cat[2].bat was Quarantined for the following reasons:
Virus W32.Klez.E@mm was found.
|
This explained the situation: The Klez virus is a particularly nasty and deceiving one, which forges the sender's address.
The recipients of such emails might be easily misled into believing they are receiving
virus-infected email messages from WiNRADiO (or other radio manufacturers), even though such messages
originated somewhere else.
The virus apparently makes up various combinations of "sender" and "recipient" addresses using the email address
book existing on the infected computer. It exploits a vulnerability in Microsoft Outlook. Microsoft has released a patch to
to remove this vulnerability.
One of the messages we received had a bit more information in its message header than the previous ones:
From: postmaster@winradio.net.au
To: sales@winradio.net.au
Date: Thu, 4 Apr 2002 00:05:33 -0500 (EST)
Subject: Returned mail--"border"
Received: by interconnect.com.au (mbox winradio) (with Cubic Circle's cucipop
(v1.31a 1998/05/13) Thu Apr 4 16:21:37 2002)
X-From_: info@grundig.de Thu Apr 4 15:50:48 2002
Return-Path: info@grundig.de
Delivered-To: winradio@interconnect.com.au
Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by
entoo.connect.com.au (Postfix) with ESMTP id 42453F7568 for sales@winradio.net.au>
Thu, 4 Apr 2002 15:32:39 +1000 (EST)
Received: from logs-tq.proxy.aol.com (logs-tq.proxy.aol.com [152.163.201.5]) by
rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id AAA08870 for
sales@winradio.net.au; Thu, 4 Apr 2002 00:07:23 -0500 (EST)
Received: from Tikgtev (AC9ED9E1.ipt.aol.com [172.158.217.225]) by logs-tq.proxy.aol.com
(8.10.0/8.10.0) with SMTP id g3455Wh417006 for sales@winradio.net.au;
Thu, 4 Apr 2002 00:05:33 -0500 (EST)
Message-Id: 200204040505.g3455Wh417006@logs-tq.proxy.aol.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=H08p6D4i5SIw8c
X-Apparently-From: W5tw@aol.com
Sender: info@grundig.de
|
Note the forged "sender" is info@grundig.de, again a major radio manufacturer in Germany, and the "X-Apparently-From:"
is what appears to be an email address of a ham radio operator (call sign W5TW).
Several virus-infested emails we have received contained the following "helpful" message:
Klez.E is the most common world-wide spreading worm.It's very dangerous by corrupting
your files.
Because of its very smart stealth and anti-anti-virus technic,most common AV software
can't detect or clean it.
We developed this free immunity tool to defeat the malicious virus.
You only need to run this tool once,and then Klez will never come into your PC.
NOTE: Because this tool acts as a fake Klez to fool the real worm,some AV monitor maybe
cry when you run it.
If so,Ignore the warning,and select 'continue'.
If you have any question,please email to Dores@datafab.com.
|
The bad grammar should obviously warn you not to proceed, but if you are foolish enough to click on the attachment and ignore the "cry of your AV monitor" then
you will surely cry at the result because a malicious virus infection of your computer will occur.
Protecting yourself against virus attacks by having the latest anti-virus applications is of course always the best solution. Other than that,
always be vary of opening any attachments, especially executables and scripts arriving unsolicited.
Be assured that WiNRADiO internal computer systems are continually checked for viruses using the latest virus detection software,
and that WiNRADiO never sends out any unsolicited email messages. The only way you may receive an email message from WiNRADiO is
as a response to your own enquiry, or if you have properly subscribed to the WiNRADiO newsletter.
We take every effort to ensure that such messages are virus-free. |
