Message-ID: <003101c27251$c830bd30$0700000a@parissn2>
From: "Stewart Nelson" <sn@scgroup.com>
To: rsgb_lf_group@blacksheep.org
References: <000501c27247$f7d26340$a34f7ad5@main>
Date: Sun, 13 Oct 2002 02:45:08 +0200
MIME-Version: 1.0
Subject: LF: Re: Please check ....
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Sender: <owner-rsgb_lf_group@blacksheep.org>
Precedence: bulk
Reply-To: rsgb_lf_group@blacksheep.org

Hi Alan and all,

> Hi all, it would seem that though not being sent through the Reflector, some
> reflector member's PC has been infected and is sending out quanties of
> infected mail. The message mentioned by Andre is not from Mike, I believe,
> (someone else received a spoofed message with his name about 10 days ago.)

This is correct.

> but as Andre, Brian, and myself have received the same message today it
> would seem that someone's machine still has an undectected virus which is
> using his address list of Reflector members and / or message Inbox (which
> must be quite big for Mike changed his address some time ago, I only have an
> archive folder back to April 2002 ...not in the Inbox...and it is not in
> there.....I believe that Mike announced the change last year.....so whoever
> is infected has an enormous INbox folder ) to forge the instantly
> recognisable message with a 69kB attachment (a size that would not pass
> through the reflector)

The bugbear virus fakes a "from" address with a user name (mike.dennison)
from one message on the infected machine and a domain name (compuserve.com)
from another.  So the faked address, in general, does not exist at all!

Bugbear sends itself out to addresses harvested from saved messages (not
just the inbox) and cached web pages on the victim's machine.

There is, however, some info in the headers of a bugbear message which
may help you find and warn the victim.  I did not receive "Mike's" 
message myself, but if you still have the message on your system,
with all headers, here's what to look for:

Below are headers from a bugbear message I got "from" another mailing
list.

Return-Path: <sumoml@amicus-m.org>
Received: from gadolinium.btinternet.com (194.73.73.111) by mail.mcf.com
 with ESMTP (Eudora Internet Mail Server 3.1.3) for <sn@scgroup.com>;
 Sat, 12 Oct 2002 04:41:06 -0400
Received: from host213-122-88-90.in-addr.btopenworld.com ([213.122.88.90]
helo=msalt2)
 by gadolinium.btinternet.com with smtp (Exim 3.22 #8)
 id 180HlH-00064c-00; Sat, 12 Oct 2002 09:36:40 +0100
From:  sumoml@amicus-m.org
Subject:  Re: Was sumo more popular in the '30s?
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------AK72WDRHLCHWMV4"
Message-Id: <E180HlH-00064c-00@gadolinium.btinternet.com>
Bcc:
Date: Sat, 12 Oct 2002 09:36:40 +0100

The 'Return-Path:' and 'From:' are forged.

The 'Received:' headers are all real.  Bugbear uses the victim's normal
outgoing SMTP server to send mail, so the top header (typically generated
by your ISP) indicates that he probably has a btinternet.com address.
The second header (typically generated by his ISP) will usually give the
real computer name (in this case 'msalt2') his IP address at the
time (in this case 213.122.88.90), and the sender's time zone (+0100).

People often choose a computer name which matches their first or last
name.  Or, if you can search an archive including full headers, you
may find a post with the same host name.  You can try a tracert
command to the IP involved; the names of the routers in the path may
give a clue to the victim's city.  If the victim has a broadband
connection with a static or rarely changing IP, you might find the
address in a prior post.

If you can't easily identify the victim, send me a copy of the
headers and I'll try to puzzle it out.

73,

Stewart