Do I have a virus in my work computer? My IS department says no, but...

[Boyo_Jim]

I use MS Outlook at work. I don’t know what version, if it matters

I, and apparently a few others at work today, suffered a spam attack all day long; about 20-30 emails an hour, with attachments. One of the very first ones showed as coming from my coworker, so I opened it and the attachment. The attachment, on the surface at least, consists of a text file note from our IS security system saying the original attachment was removed for security reasons.

All well and good, til I get some autoresponses from System administrators, that the emails I sent out were undeliverable. I even got one reply saying the SOBIG (sp?) virus was detected in my email, and so was being returned undelevered.

Thing is, I hadn’t sent any email, so I called IS. Their tech came over and ran some checks, and assured me my computer was not infected. “How is it that I seem to be sending out email, then”, I asked. She didn’t have an answer.

When the problem continued, I asked another tech later in the day if the first tech knew what she was doing. Oh sure, he said, these emails are just “bouncing off” my PC and the system was generating notification messages to tell me so.

OOH, the returned messages clearly indicate my email address as the originator.

OTOH, I don’t find any of my supposed recipients among my Contacts list.

So, can all this happen WITHOUT my computer being infected?

[Taoiseach]

Apparently so, though I don’t have a clue how.

Because I am a contractor (OK, a temp) I do not have a work e-mail address, so I use a web-based free e-mail service. Today I must have received 10-12 messages from mailer daemons and the like “returning” “my” message as undeliverable because the attachment contained an executable, and the like.

Funny thing is, I haven’t opened anything other than basic, vanilla text messages all day, from legitimate addresses such as my wife’s (she’s even more secure than I) and various publishing houses in New York. So I know I didn’t get infected with Sobig, but someone sure is using my address, and faking the return path no less.

Resident IT experts wanna explain this to poor us’n?

[Mort_Furd]

Simplicity itself:

Someone who has the Sobig virus has your e-mail address in his address book, and Sobig is sending out messages with your address as the from: and the return: address.

This keeps the person with the infected computer from noticing the problem - all of the messages that get bounced go somewhere else, and the poor sucker doesn’t notice that he’s sending out virus laden e-mail.

[Mops]

My guess is that the PC of someone who had your e-mail address in a file somewhere got infected. According to an advisory that I got today the W32.Sobig.F@mm worm (alias Sobig.F [F-Secure], W32/Sobig.F@MM [McAfee], WORM_SOBIG.F [TrendMicro])

• infects the PC of users who open an infected attachment (filename extensions .zip, .pif and .scr)

• scans files with the extensions .wab .dbx .htm .html .eml .txt .hlp and .mht for e-mail addresses

• sends infected e-mail with its own SMTP engine to addresses harvested from the above sources, with a faked return address.

[gotpasswords]

I got an alert about “sobig” from the Faire today:

We at the Renaissance Pleasure Faire wanted to drop you a quick note letting you know that there is a new virus that hit the internet today called, “W32.Sobig.F@mm”.

One of the ways this virus is spreading is by “spoofing” who the message is from. This means that the address which appears to be sending the virus to you is not actually where it’s coming from. We’ve become aware that one of the addresses it’s using to send itself is ours! It harvested our address from members of our list becoming infected. It is very unlikely that you will receive an infected email which appears to be from the Renaissance Pleasure Faire, but we did not want to take any chances!

You can find detailed and technical info about sobig at SARC

[Riboflavin]

Although it’s probably a recent virus using your From: address in this case, it’s also possible that a person is doing it. Sometimes spammers send mail that appears to be from someone else’s address, and you’ll get a truckload of delivery failure messages for a while (I had this happen to me a while back, and there’s nothing to do but wait it out).

[Achernar]

*Originally posted by Mort Furd *
Simplicity itself:

Someone who has the Sobig virus has your e-mail address in his address book, and Sobig is sending out messages with your address as the from: and the return: address.

This keeps the person with the infected computer from noticing the problem - all of the messages that get bounced go somewhere else, and the poor sucker doesn’t notice that he’s sending out virus laden e-mail.

This makes a lot of sense. I’ve been getting similar emails in my account, and it’s on a Unix machine, which as far as I can tell is impervious to viruses. So I was worried, but not too worried.

[handy]

I got a bunch of that today too, deletec them but looked at one & it was a MSDOS link. Which means I couldn’t scan it because my virus scanner doesn’t scan msdos links or didn’t see to want to.

[transitionality]

Unix is no more impervious to viruses than ugly women are impervious to sexual advances.

Nobody writes viruses for Unix because it’s not worth the effort but they very well could be written.

[Boyo_Jim]

First of all, thanks for the prompt responses, my mind is put at ease to an extent, but now I have a new thought to worry about.

How deep does this faking the sender go?

Suppose somebody sent a threatening email to the White House and use mine as the return address. Would the Secret Service show up at my door, or is there some simpler way to tell if the sender’s name is bogus.