Hi all,

The infected message certainly has nothing to do with Rik -- the From: address
is forged.

Hugh is also correct about the fen-net.de origin.  There are three things
about a Bugbear message that are not faked:  The outgoing mail server (here
hugo.fen-net.de aka mail.fen-net.de) is the one normally used by the victim.
The IP address (here dialin-nbg-018.fen-net.de [212.204.116.18]) is the
address the machine had when the virus was sent.  And the machine name
(here 'PC') is also not forged.

A search through recent postings found only Walter DJ2LF with an address
at fen-net.de .  But his messages (last one that I had saved was July 28)
all came from a machine named 'DEFAULT'.  So that machine is not the culprit.

IMO, there are two possibilities:  Walter got a new computer named 'PC' (or
a fresh OS install) and it is infected.  More likely, there is another
member, in the Nürnberg area, with a fen-net.de address, who has not posted
recently, but who has the virus.

If this might be you, there is information about bugbear at
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
(Symantec), at
http://www.mcafee.com/anti-virus/viruses/bugbear/ (McAfee) or
at many other anti-virus sites.

73,

Stewart KK7KA


----- Original Message -----
From: "Hugh Burnham" <[email protected]>
To: "LF-Group" <[email protected]>
Sent: Friday, November 01, 2002 12:41 PM
Subject: Don't open "Re:LF:Capacity hat puzzle" from Rik Strobbe (bug bear virus
again!)

Hi all
Norton has just thrown up a Virus Alert (Bugbear) on a message
"Re:LF:Capacity hat puzzle" purporting to be from Rik Strobbe (but
necessarily his machine that is infected).
This is an old message regurgitated by the Virus, to look plausible and
refers to a message dated 18/09/2002
It seems to have come from the domain name "hugo.fen-net.de" if that means
anything to anyone ...
73
Hugh M0WYE