On 10 Dec 2000, at 13:15, Brad Loomis <[log in to unmask]> wrote:

> Does anybody have a good way to trace an email? I was sent two different
> mails days apart, one with a .scr and one with a .exe extension that both
> were a virus. Natch I didn't open the attachments. I tried to trace the
> address using SamSpade, but apparently it couldn't find the sender, which
> was [log in to unmask] I'm using Outlook 2000. Needless to say, should
> anyone get something from this address, err, I wouldn't open it. Brad
> Loomis Los Angeles, CA

Yes, this is the Hybris Internet worm, and it seems that the recent wave
of these posts is a new variant of the Hybris, which does not totally meet
the description which you may find in the various virus encyclopedias of
the different AV companies. In fact, the author of the virus posts
encrypted updates on alt.comp.virus, which this worm knows to read in
order to update itself, and thus change itself. Those plugins posted to
alt.comp.virus are encrypted so that it will be impossible for the good
people to write a plugin which will disable or kill this worm.

The address [log in to unmask] is of course forged, and the only relevant
line which can tell you about the origin of the post, is the "Received:"
header field which is on the top of the e-mail message. You should be able
to see this header field only if you switch your e-mail to view all
headers.
It won't tell you the address of the origin, but only from where it was
posted, and the name of the computer which posted it (and which might be
forged, I didn't yet came to conclusion about that).

Uzi
http://members.iol.co.il/uzip/

             PCSOFT maintains many useful files for download
                     visit our download web page at:
                     http://nospin.com/pc/files.html