On or about May 7, 2002 Nancy began receiving email from ZetaTalk@ZetaTalk.Com to ZetaTalk@ZetaTalk.Com with all the signatures of an email carrying the KlezE virus. Another clue that this is a forgery is the use of upper case. Mail from ZetaTalk under that email addy is always lower case, as firstname.lastname@example.org. These infected forgeries were never sent from the computer where email from Nancy is sent, nor has this computer ever been infected by:
This is a forgery, created by the virus which occasionally spoofs. Please use the Contact Nancy form, a link from the ZetaTalk home page, which does not allow attachments, to open a dialog with Nancy.
The W32.Klez.gen@mm virus has an ability to use an address other than the infected computer, thus making it impossible to tell the infected party that they are infected. The explanation from the Symantic website: Some variants of this worm use a technique known as "spoofing." If it does this, it chooses at random an address that it finds on an infected computer as the "From:" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers receive complaints that they have sent an infected message to someone else. For example, Linda Anderson is using a computer that is infected with W32.Klez.E@mm; Linda is not using a antivirus program or does not have current virus definitions. When W32.Klez.gen@mm performs its emailing routine, it finds the email address of Harold Logan. It inserts Harold's email address into the "From:" line of an infected email that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her infected email, but when Harold scans his computer, Norton AntiVirus does not find anything - as would be expected - because his computer is not infected.