Tracing the sender of a virus?

  Ellie3009 10:46 18 Jan 2003
  Ellie3009 10:46 18 Jan 2003

In the last two weeks I have recieved 5 copies of an email infected with the virus : [email protected]
I had the sense to scan the attachment the first time I read the mail, so happily I have not been infected.
However, someone I know, who has me in their Outlook address book, or Yahoo/MSN messenger contact lists obviously is infected. The virus changes the "from" field of the email so that it always reads "[email protected]", so I don't know who the mail is really coming from.

What I want to know is, is there any other way of tracing the sender of the email so I can let them know to virus check their system?

BTW, I have already tried running the IP listed in "from" through tracert command (times out) and through Visualroute, and it gets as far as a pipex adsl dynamic address pool. However, I know no users of pipex, and the only two ADSL users I know have already been ruled out, so no luck here either.

Can anybody help? If it is of any use, I have addded the full headers of the infected mail below, with the "to" fields removed so that my email address remains private.

17 Jan 2003 03:39:06 -0800 (PST)
Return-Path: [email protected]>
Received: from ( by with SMTP; 17 Jan 2003 03:39:04 -0800 (PST)
From: "swansea ymca" [email protected]> |
Subject: war Againest Loneliness
Date: Fri,17 Jan 2003 11:40:30 PM
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=#r0xx#
Content-Length: 33682

  PSF 10:55 18 Jan 2003

click here

Try SmartWhois to trace the IP address

  alB 10:56 18 Jan 2003

A bit of information here that might be of help click here ...alB

  Rtus 11:05 18 Jan 2003

its lots of work and may very well lead no-where in partic..Most of these are not the real senders of virii .They have had their email addies nicked for this purpose.. I get a regular virii attack from a certain address .Who lives locally and I know for a fact Ive had no contact with that address,and I happen to have a mate who looks after that machine. Really just make sure you keep your Av prog upto date is I believe the best advice here..

  GANDALF <|:-)> 11:08 18 Jan 2003

It is unlikely that the sender knows they are sending the virus as in the recent spate of Klez attacks. An email to Swansea YMCA may help as they could easily be infected without knowing although I suspect that this could be a public access computer.

Tracing an IP is no use whatsoever as. a) you will only get the ISP (who will not give out info to Joe Public) and if it was a malicious attack then the sender would have set up a false ID etc and b) you may only get a series of IP addresses for routers and there could be up to 30 of them.

Anyone doing this maliciously will be using an anonymous proxy or fake ID (easy to set up an email account giving false details).

Apart from all the above Yaha is an old virus and if you AV is up to date it would gave blocked it.


  amadas 11:11 18 Jan 2003

Very difficult to say the least. There might be some software out there that can acheive this, but I'm unaware of it. This virus has attached itself to so many outlook address books it's not funny. I run NeoTrace Pro, it's a great a powerful program, however, the only IP's traced are referring back to whoevers address book is infected. I somehow caught this little devil, even though I don't use outlook, or IE as my default,(I'm a Netscape man) it got in there some how and grabbed all the email address' from sites I visited and began sending emails. Not a problem with me, however, my mailbox was loading up with postmaster returns. I learned that by upgrading to IE6 it will remove it from your system. Once done, the postmaster mails ceased.

Good luck in your search.


  Ellie3009 11:11 18 Jan 2003

Thanks, but already tried these tools.
Results in finding out that it's a pipex/uunet user (and I dont know any!) and a adsl dynamic pool address (and the two adsl users I know are already ruled out!)

Don't know where to go from there!

  Ellie3009 11:18 18 Jan 2003

The swanseaymca address is a hotmail address, which is why I believe that its a spoof, given that the headers list Outlook Express 5.5 as the software used.

I don't think for a moment that it's a malicious attack, and I'm not worried about my own machine being infected (I have an up-to-date copy of Norton), but I thought it would be courteous to inform whichever friend has the virus if I could trace them, since they obviously don't realise.

I tried to trace the IP because knowing what ISP most of my contacts use, I would have been able to narrow down the field and email those concerned.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

HP Envy x2 review: Hands-on

How Sketch and InVision have revolutionised our design workflow

The best tech gifts for Christmas 2017

Les meilleurs jeux de société (2017)