ANSTHRLD - Virus from Who?
Timothy A. McDaniel
tmcd at jump.net
Mon Mar 26 21:40:34 PST 2001
Etienne:
> Daniel:
>>I've never been able to figure out how to tell who sent the "Snow
>>White" virus. How?
>
> Daniel, you have to look at the full header info of the email.
I did. Repeatedly. I didn't see "who", and someone (Magnus, was it?)
said he knew how to tell.
> there is an originating IP line. This is the actual mail server
> that the virus forwarded through. As you are aware, the virus
> changes the sent from address to "hahaha at sexyfun.net" so the
> excerpted info will not give enough info.
Hence my question; that is not "who", but "where". At least one
person who uses swbell.com has been infected, because I've gotten
multiple "Snow Whites" from there, but I don't know if it's one or
many, much less who.
Magnus, I think it was, told me in later e-mail that "Snow White"
sends out a new copy every time the infected user sends e-mail, so if
you happen to get a copy of SW just after someone sends you e-mail
from the same site, it's likely that they're the one responsible.
I haven't checked to see if that's true; I don't think I've gotten a
copy since he told me.
Daniel de Lincolia
--
Tim McDaniel is tmcd at jump.net; if that fail,
tmcd at us.ibm.com is my work account.
"To join the Clueless Club, send a followup to this message quoting everything
up to and including this sig!" -- Jukka.Korpela at hut.fi (Jukka Korpela)
============================================================================
Go to http://lists.ansteorra.org/lists.html to perform mailing list tasks.
More information about the Heralds
mailing list