sobig virus

Joe Stuart jstuart at EDENPR.K12.MN.US
Wed Aug 20 17:09:33 IST 2003 

Here is one from mine. that went through

Received: from S0030213072
        (mul2.dsl.visi.com [209.98.144.89])
        by edenpr.k12.mn.us; Wed, 20 Aug 2003 11:01:20 -0500
From: <kenrep at on.aibn.com>
To: <rgrassel at edenpr.k12.mn.us>
Subject: Re: Wicked screensaver
Date: Wed, 20 Aug 2003 10:59:53 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="_NextPart_000_245BAC29"

This is a multipart message in MIME format

--_NextPart_000_245BAC29
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_245BAC29
Content-Type: application/octet-stream;
        name="details.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="details.pif"




>>> mike at CAMAROSS.NET 08/20/03 10:41AM >>>
Here's a sample of one of mine:

Received: from UNIVERSE-COMP14 (96.2b.ce6d.gw1000.dsl.airmail.net
[206.109.43.150])
        by rh.purvingertz.com (8.11.6/8.11.6) with ESMTP id
h7KFTkQ21901
        for <user at purvingertz.com>; Wed, 20 Aug 2003 10:29:47 -0500
 Message-Id: <200308201529.h7KFTkQ21901 at rh.purvingertz.com>
 From: <jstruthers at ucsd.edu>
 To: <user at purvingertz.com>
 Subject: Thank you!
 Date: Wed, 20 Aug 2003 10:29:41 --0500
 X-MailScanner: Found to be clean
 Importance: Normal
 X-Mailer: Microsoft Outlook Express 6.00.2600.0000
 X-MSMail-Priority: Normal
 X-Priority: 3 (Normal)
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
        boundary="_NextPart_000_23D14C0F"

UNIVERSE-COMP14 is the NETBIOS name of the infected sender.  I'd like
to see
an example of on of yours for comparison.

Mike



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf
Of Joe Stuart
Sent: Wednesday, August 20, 2003 10:27 AM
To: MAILSCANNER at JISCMAIL.AC.UK 
Subject: Re: sobig virus


Ok so it's the netbios name of the remote computer sending the virus.
Or is
PC2860 one of my machines? And if it's a remote computer how come all
the
rest of the email coming in has Recieved: from scrubber.edenpr.org
which is
our server.

Thanks again

>>> mike at CAMAROSS.NET 08/20/03 10:24AM >>>
Correct...it is the NETBIOS name.

Mike


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf
Of Anders Andersson, IT
Sent: Wednesday, August 20, 2003 10:06 AM
To: MAILSCANNER at JISCMAIL.AC.UK 
Subject: SV: sobig virus


> -----Ursprungligt meddelande-----
> Från: Joe Stuart [mailto:jstuart at EDENPR.K12.MN.US] 
> Skickat: den 20 augusti 2003 16:50
> Till: MAILSCANNER at JISCMAIL.AC.UK 
> Ämne: sobig virus
> 
> 
> I have Mailscanner running with f-prot and it seems to be stopping 
> about 10-15 viruses a minute which is extremely high vloume. It also

> seems that a lot of them are getting through. A usual header of an 
> email that comes from the outside starts with
> 
> Received: from scrubber.edenpr.org
>         by edenpr.k12.mn.us; Wed, 20 Aug 2003 09:34:42 -0500
> 
> the ones getting through seem to be starting with
> 
> Recieved from PC2860
>        (splkpark.k12.mn.us[204.169.235.111])
>         by edenpr.k12.mn.us; Wed, 20 Aug 2003 09:32:28 -0500
> 
> And they are all .pif's. Scrubber is the server with mailscanner on 
> it. I'm coinfused about the PC2860

Sound like the windows name for a computer.... 

> 
> Thanks
> Joe
>

More information about the MailScanner mailing list