sobig virus

Mike Kercher mike at CAMAROSS.NET
Wed Aug 20 16:41:38 IST 2003 

Here's a sample of one of mine:

Received: from UNIVERSE-COMP14 (96.2b.ce6d.gw1000.dsl.airmail.net
[206.109.43.150])
        by rh.purvingertz.com (8.11.6/8.11.6) with ESMTP id h7KFTkQ21901
        for <user at purvingertz.com>; Wed, 20 Aug 2003 10:29:47 -0500
 Message-Id: <200308201529.h7KFTkQ21901 at rh.purvingertz.com>
 From: <jstruthers at ucsd.edu>
 To: <user at purvingertz.com>
 Subject: Thank you!
 Date: Wed, 20 Aug 2003 10:29:41 --0500
 X-MailScanner: Found to be clean
 Importance: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MSMail-Priority: Normal
 X-Priority: 3 (Normal)
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
        boundary="_NextPart_000_23D14C0F"

UNIVERSE-COMP14 is the NETBIOS name of the infected sender.  I'd like to see
an example of on of yours for comparison.

Mike



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Joe Stuart
Sent: Wednesday, August 20, 2003 10:27 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: sobig virus


Ok so it's the netbios name of the remote computer sending the virus. Or is
PC2860 one of my machines? And if it's a remote computer how come all the
rest of the email coming in has Recieved: from scrubber.edenpr.org which is
our server.

Thanks again

>>> mike at CAMAROSS.NET 08/20/03 10:24AM >>>
Correct...it is the NETBIOS name.

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Anders Andersson, IT
Sent: Wednesday, August 20, 2003 10:06 AM
To: MAILSCANNER at JISCMAIL.AC.UK 
Subject: SV: sobig virus


> -----Ursprungligt meddelande-----
> Från: Joe Stuart [mailto:jstuart at EDENPR.K12.MN.US]
> Skickat: den 20 augusti 2003 16:50
> Till: MAILSCANNER at JISCMAIL.AC.UK 
> Ämne: sobig virus
> 
> 
> I have Mailscanner running with f-prot and it seems to be stopping 
> about 10-15 viruses a minute which is extremely high vloume. It also 
> seems that a lot of them are getting through. A usual header of an 
> email that comes from the outside starts with
> 
> Received: from scrubber.edenpr.org
>         by edenpr.k12.mn.us; Wed, 20 Aug 2003 09:34:42 -0500
> 
> the ones getting through seem to be starting with
> 
> Recieved from PC2860
>        (splkpark.k12.mn.us[204.169.235.111])
>         by edenpr.k12.mn.us; Wed, 20 Aug 2003 09:32:28 -0500
> 
> And they are all .pif's. Scrubber is the server with mailscanner on 
> it. I'm coinfused about the PC2860

Sound like the windows name for a computer.... 

> 
> Thanks
> Joe
>

More information about the MailScanner mailing list