[UK-CONTEST] G3SJJ Virus Free
Brian Miller
brianmiller at xtra.co.nz
Thu Oct 10 16:33:26 EDT 2002
Agreed Peter.
In Outlook Express go to File Properties, Details and then open "Message Source" to see the full
path taken by the message including the original source address.
The displayed "From" address is usually spoofed by the spammer or virus so you have to look at the
Message Source details to see the true sender.
73
Brian ZL1AZE
----- Original Message -----
From: <peter at unica.co.uk>
To: <allmail at mm0antmail.co.uk>
Cc: <g3sjj at btinternet.com>; <uk-contest at contesting.com>
Sent: Friday, October 11, 2002 1:13 AM
Subject: Re: [UK-CONTEST] G3SJJ Virus Free
Along with many others, the virus (actually a Trojan) you're seeing forges
email headers. It looks in your inbox and sends itself out with a 'From'
address of someone who mailed you.
Just because the mail you saw had 'g3sjj' in the From: header, that's no
indication that it came from Chris's computer.
The one thing it can't fake is the 'Received' headers - they could give
you a clue where the mail came from, if you really want to track it down -
compare the Received headers in the infected mail with others you see from
other people and you might find a clue - particularly if it came from an
ISP such as Demon (who allocate separate hostnames to each customer) or a
corporate email system.
Peter G4MJS
>
>>Have downloaded latest signature files and revrus checker. it didn't
>> pick anything up. Chris
>
> Hi Chris,
>
> It's odd to hear that nothing was found, as the header and
> content appears to be from yourself, admittedly with the
> false header as previously mentioned. Can anyone confirm
> the status of the email as below... Did it have a virus attached?
>
> Maybe the email, whomever had it, managed to fake the whole
> email address from their address-book. The headers aren't a
> great match to the email you just sent. The "Virus-ed" mail has
> most of the outlook headers stripped, to hide the source probably.
>
> Anyway, Sorry if the alert caused any inconvenience. The virus
> detected had been driving me nuts at work that few days and seemed to be
> coming in from everywhere. It's good to hear all is well.
>
> Rv!
> www.MM0ANT.co.uk
>
>
>>Date: Wed, 9 Oct 2002 22:25:51 +0100
>>Message-Id: <200210092125.WAA29777 at dougal.trinetimb.net>
>>From: "G3SJJ" <g3sjj at grisoft.com>
>>Subject: Re: [UK-CONTEST] UK contests.
>>MIME-Version: 1.0
>>Content-Type: multipart/mixed; boundary="----------ORJP5P30JLATCI" To:
>> undisclosed-recipients:;
>>X-Envelope-To: rv at clara.co.uk
>>X-claradeliver-Version: 4.15.0
>>X-UIDL: 1034201505.72324.hespera.uk.clara.net
>>X-RCPT: rv
>>Status: U
>>
>>
>>I think we see it from different aspects Jonathon. You are most
>>fortunate in belonging to a club with obviously motivated people
>>as can be seen from your past reports on Club Calls, 160 CW,
>>CW FD and others.
>>
>>>From
>>
>>Viruses found in the attached files.
>>The attached file 13thmap.doc.scr is infected by I-Worm/Bugbear. The
>> attachment was moved to the virus vault.
>
>
>
>
>
>
>
>
>
>
>
> "Individuals play the game, but teams beat the odds." SEAL Team saying
>
>
>
> --- StripMime Report -- processed MIME parts ---
> multipart/mixed
> text/plain (text body -- kept)
> ---
> _______________________________________________
> UK-Contest mailing list
> UK-Contest at contesting.com
> http://lists.contesting.com/mailman/listinfo/uk-contest
_______________________________________________
UK-Contest mailing list
UK-Contest at contesting.com
http://lists.contesting.com/mailman/listinfo/uk-contest
More information about the UK-Contest
mailing list