Where are these viruses coming from?

Home » EMail

Summary: Email viruses come from many sources, usually from other machines infected with a virus. There are clues in email headers, but that's often incomplete.

Today I got a message that I had received two Emails in my box with a virus ... But where [do they] come from?

There's no 100% reliable way to tell who really sent you the virus. The only thing that's likely is that your email address or the address of an email list you are a member of is contained in an address book on the machine that sent it to you, and that that machine is a Windows machine. As to who's machine that might be, you can get clues from the more detailed email headers that you typically don't see, but even then it's often difficult to tell.

•

This virus and many recent viruses work by emailing a copy to everyone it finds in the address books it finds on infected machines. It also spoofs, or fakes, the "From:" address, to hide where the email is coming from. It looks like this virus uses only certain "from" addresses, but others will actually use other addresses found in the infected machines address book.

"From spoofing" is a little confusing so let's whip up an example.

Peter has both Paul and Mary in his email address book. Paul and Mary do not know each other and have never emailed each other. Unfortunately, Peter's computer becomes infected with one of the viruses we're talking about. The virus starts emailing itself to everyone in Peter's address book and also uses the address book to make fake "from" addresses. As a result, Peter's computer sends email to Mary that looks like it's "from" Paul, even though Paul had nothing whatsoever to do with it. If Mary believes the "from" address, she may get upset with Paul for "sending" her the virus but her anger is misplaced - it's Peter's machine that's infected.

If we take a look at the email header information that comes with each email message, we may be able to track the source a little better. The header information I'm talking about is information that many email clients don't show you by default. As an email message gets passed from computer to computer each will add a informational line to the header saying when the message was received and from what IP address. The first of those should be from the machine that sent the email in the first place.

Unfortunately it's not always that simple. For example a broadband router, firewall, or proxy server can mask a machine's address on the internet. In addition, some of the virii take steps to obscure or spoof the header information.

Outlook and Outlook express are both common mailers as well as common virus targets that hide the headers by default. If you want to have a look at the headers I'm talking about:

Outlook: Right click on the message in the message list and select Options. In the default pain of the options dialog is a box labeled "Internet Headers". The box is almost always smaller than the accumulated header information, so you may want to copy/paste the headers into notepad to view.

Outlook Express: Right click on the message in the message list and select Properties and then on the "Details" tab. The details tab contains the internet headers.

The headers are not meant to be pretty or easy to understand but typically the last "received from" line will tell you the IP address and possibly the machine name that the mail may have originated from. In our example above, it may be easy to identify Peter's machine by his IP address or his machine name ... or that information may still be hidden.

The virus that triggered this question was w32.sober@mm, which you can read more about here at Symantec's site. (They're my recommended virus reference site.)

More articles about: EMail

Article Useful? Link to it from your own website; just copy/paste this HTML:
<a href="http://ask-leo.com/where_are_these_viruses_coming_from.html">Ask Leo: Where are these viruses coming from?</a>

Article 115 | Posted November 2, 2003

•

Recent Comments

What's the cure? I've already run my virus updates and virus checker - it found absolutely nothing! But all my email contacts are getting being used all over with these fake attachments. Is there any way to protext your address book from being seen by the hackers? Yes, I do have a Norton Personal Firewall and it is set from medium to high depending on where I'm surfing.

thanks!

wendy

Posted by: wendy at March 10, 2004 06:10 AM

Also make sure your email program is fully up-to-date with its latest patches. You didn't say what you're using, but Outlook and Outlook express are the normal targets for these viruses. Outlook can be updated at Office Update, and Outlook Express gets updated via Windows Update, both at Microsoft.com.

Also know that you didn't need to have the virus to have your email address be abused. I've never been infected with an email virus, and yet I get bounces because of the MyDoom and related viruses all the time. This happens because of SPAM lists, your address in other people's address books (where *they* get infected), and some varients of the virus that even spread the addresses around as they infect, or so I'm told.

It really sucks.

This article may also help explain: http://ask-leo.com/archives/000065.html

Thanks!

Leo

Posted by: Leo at March 10, 2004 09:47 AM

I have scanned all workstations and havent been able to track down the W32.Sober@MM virus. I'm still not sure if our company has the virus since no one claims that they have actually opened the attachment but we are still receiving alot of the W32.Sober@MM emails in our Outlook Inbox. Any idea on how to stop receiving the W32.Sober@MM emails?

Thanks,

Brad

Posted by: Brad at November 27, 2005 05:40 PM

Brad,
Do you use Fortinet? It strips all the infected messages of the virus and simply leaves a text file telling you the malicious file is gone and why. It is probably the best email virus scanner for offices.

Posted by: Chris at December 15, 2005 11:35 AM

Post a comment on "Where are these viruses coming from?":

Name: (Required)

Email Address: (Required)

(Email Address will not be published.)

Remember Me? YesNo

By popular demand...
my tip jar

Buy Leo a Latte!

Comments:

New!

Subscribe to the RSS Feed specifically for comments on this article.

Before commenting, please...

Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored.
Comment only on this article. Use the Google search box at the top of the page if you have a question about something else.
Don't include personal information in the comment. No email addresses. No phone numbers. No physical addresses.
Don't ask me to recover lost passwords or hacked accounts. I can't, and those comments will be deleted.

I can't respond to every comment. And I can't vouch for the accuracy of others who do.
Read Why didn't you answer my question? for hints on getting an answer.
By posting a comment you agree to the Terms of Service. Don't agree? Don't post.
Read the article at the top of this page. If your comment shows you didn't, it'll be deleted and ignored. Yes, I'm saying this twice; you'd be amazed.

Please wait. Your comment is being processed ...