Tracking down an infected user

  • Thread starter Thread starter John Bowen
  • Start date Start date
J

John Bowen

I am receiving a large number (20-30) of typical viruses in my e-mail every
day. All of them arrive as attachments from people who have my e-mail
address in their address books. I am personally in about 1000 address books
because of a newsletter I publish. The e-mails themselves have a return
address of someone else in their address book and I recognize almost all the
addresses as being in my address book. I'd like to be able to warn infected
users about their problems. Is there anyway to look at the return addresses
and DNS codes to help determine what ISP they are using or what their e-mail
address is? I don't even know if there is one account infected or 100. How
can I tell?

John B
 
from the wonderful person said:
I am receiving a large number (20-30) of typical viruses in my e-mail every
day. All of them arrive as attachments from people who have my e-mail
address in their address books. I am personally in about 1000 address books
because of a newsletter I publish. The e-mails themselves have a return
address of someone else in their address book and I recognize almost all the
addresses as being in my address book. I'd like to be able to warn infected
users about their problems. Is there anyway to look at the return addresses
and DNS codes to help determine what ISP they are using or what their e-mail
address is? I don't even know if there is one account infected or 100. How
can I tell?
Click to expand...

The easiest way is to stick the raw message text into spamcop
(www.spamcop.net) which will do the digging for you, although it won't
let you report viruses via that route these days, it will tell you who
to report them to.
 
Good news. I managed to track down the person sending me the Klez.H virus
and I went to her house (turned out to be a friend) and removed it.

What I did was to put all my virus email into a folder in OE. I discovered
it had all come from the same IP address. It was a local cable company ISP.
Then I looked at the IP addresses and tried to match them with email I had
saved from folks with that cable company. That didn't work because the
sender was using AOL under a cable modem ISP and the IP address was not in
her messages.

Then I started collecting the to email addresses and the bounced email
addresses from AOL. In the pattern of names I deduced the names of members
in a local social club I belong to. I also found the surname of the
activities chair of that club (she had been writing relatives). She said it
couldn't be her because she never uses OE. She only uses AOL. However, her
OE address book had been created by a visiting relative who imported it from
her AOL files and that solved the mystery. The virus was probably downloaded
at that time too. Norton was installed but something was keeping it from
running automatically. I reinstalled it.

I think her computer probably sent out... tens of thousands of copies of the
KLEZ virus... her address book was pretty big (in the hundreds... like
mine).

Thanks to Mizz Lindy One on this board for assistance.

John B...
 
(see bottom of post for reply)
John said:
Good news. I managed to track down the person sending me the Klez.H virus
and I went to her house (turned out to be a friend) and removed it.

What I did was to put all my virus email into a folder in OE. I discovered
it had all come from the same IP address. It was a local cable company ISP.
Then I looked at the IP addresses and tried to match them with email I had
saved from folks with that cable company. That didn't work because the
sender was using AOL under a cable modem ISP and the IP address was not in
her messages.

Then I started collecting the to email addresses and the bounced email
addresses from AOL. In the pattern of names I deduced the names of members
in a local social club I belong to. I also found the surname of the
activities chair of that club (she had been writing relatives). She said it
couldn't be her because she never uses OE. She only uses AOL. However, her
OE address book had been created by a visiting relative who imported it from
her AOL files and that solved the mystery. The virus was probably downloaded
at that time too. Norton was installed but something was keeping it from
running automatically. I reinstalled it.

I think her computer probably sent out... tens of thousands of copies of the
KLEZ virus... her address book was pretty big (in the hundreds... like
mine).

Thanks to Mizz Lindy One on this board for assistance.

John B...
Click to expand...

Several of the new Internet worms have a component that disables both
antivirus and firewall programs. (Swen reportedly does this.) In this
case, cleaning the machine must be done in Safe Mode; otherwise the worm
will simply reinstall on next boot. Just an FYI for those not already
familiar with the subject.
 
Back
Top