YSK and A Good Tool

[Lynn Nelson <ibetext@raven.cc.ku.edu>]

No one is particularly targeting KOREAN-WAR-L

The message you received was one of the Klez family of Internet worms - a
worm is a virus that sends mass mailings of itself from a machine that it
has infected.

The Klez worm, once it has infected a machine, gathers all of the e-mail
addresses it finds - not just the address book, but e-mail files, RFCs,
addresses from pages stored in the web browser cache and anywhere else in
the machine. It takes one of these addresses at random and places it
on the FROM: line, and then composes a subject line from its store of
phrases and words. 

This is a particularly interesting operation. Klez contains several
phrases such as "a BLANK BLANK. BLANK it." It then takes words at random
to fit into the blanks, so that it can get "a new site. enjoy it", "a good
tool. use it", a new site. see it," and so forth.

Some of the more recent Klez worms then take a few lines from a piece of
e-mail to place at the beginning of the text area. When Klez has completed
its preparations, it then sends copies of the fabricated message, which
includes a copy of itself as an attachment, to all of the addresses it has
collected. It also has its own mailer program so that it can generate
fictitious servers of origin that manage to fool the relayers into accepted
the mass mailings as genuine Internet point to point traffic.

When a Klez worm infects a machine that has stored the addresses of both
KOREAN-WAR-L and a member of this list, _and_ chooses the address of the
list member to place on the FROM: line of its mass mailing, one copy goes
to KOREAN-WAR-L. listproc (which has been, unfortunately and for some
unknown reasons, left unprotected by an AV program) accepts it as genuine
and distributes it to list members. That's what happened with the message
that claimed to be from YSK.

Geez! What will they think of next?

Lynn