I got a message titled ‘Welcome to my hometown’ today; there wasn’t a virus attached because my mail server automatically deletes suspicious attachments (and I have secondary precaustions in place anyway).
The message is claiming to be from me though (my personal email address), addresses to my business address.
How can I tell who really sent it?
You probably can’t. Klez chooses an e-mail address at random for the From: field, so that’s no help.
You can check the headers and see what domain it originated with. But it’s likely that’ll only tell you it came from aol.com or some sort and make it impossible to pinpoint it further.
You can read bout it at Symantec. http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen@mm.html
how did it manage to choose my home email address for the ‘from’ and my work one for the ‘to’; does this mean that it’s been (unwittingly) sent by someone who has communicated with me at both addresses?
Yes, that’s what it means. It picked your personal address to fool you into thinking it came from you, and sent it to your business address. I guess the virus maker didn’t anticipate that situation. 
That narrows it down a little; I managed to track it down as originating from a domain that only appears twice in my inbox, so I’ve written a friendly message to both of the possbile senders.
Although klez typically grabs two random email addresses from your personal address book, puts one in the “To” field and one in the “From” field before mailing, the address book is not the only place it finds addresses. According to Trend Micro, it also looks in other files, too:
So, Mangetout, the idea that someone has both your addresses in their WAB is good, but might not be culprit here. Pretty Klever, that Klez.
Interesting…
It did turn out to be one of the two people I contacted (who was already aware and dealing with it.
My work email gets forwarded automatically to my out-of-office address, so very often I respond to messages sent to Me@work from Me@home and vice versa, so I suspect that it did get my addresses from the address book in this case.
Well, rather than start a thread of my own…
I just got a klez email that was more fun than usual. It had my address in the “To:” my roomie’s email address in the “From” and a third, unknown, email address in the “reply-to” field.
Is that the address it really came from, or did I just get a new, fun, version of klez?
Ooh, I’m going to jump in with yet another question about it:
My mom got a dozen-ish emails the other week, one “from” my sister, a few “from” some of her friends, and a few other “from” various family members. My sister seems to be the only common link in all the addresses, my mother was the only receipient of the mails, and my sister’s computer came up clean.
How could that one have happened?
Thus your sister would be the infected one, and the people apparently sending the virus would actually be random names from your sister’s address book.
Not necessarily. All it means is that your sister’s address and the address of the recipient were on the same computer. I don’t know how often Klez switches the From: address, but it’s perfectly possible that it took your sister’s e-mail and used it more than once. It can be from anyone who has both addresses anywhere on their computer (not just in the address book).
And while we’re on the subject, I just got a message that was prefixed by this:
The body of the msg was a SPAM ad (probably), something relating to Northwest Airlines Frequent Flyer Miles. The attachment looks like this (I have condensed it a trifle):
My ISP said his system did not generate this. Could it be generated by the sending ISP? But why would a SPAMmer use an ISP that had an outgoing virus scanner?
Somebody is sure wasting a lot of Internet time with this crap. The warnings are worse than the disease.