Normal headers of an email:
Date :Fri, 14 Feb 2003 9:04:00 +0100
From :<big@boss.com>
To :_<xxxx@xxxxx.com> {My domain’s email web based email address.}
Subject :_Re: Here is that sample
My web host is text based so it only showed the option to download the file “Untitled1.pif”. I’ve looked at it with a hex editor. Only see an error message and a call to kernel32.dll. The only other ascii I see is “RICH” and “PE”.
Filename:Untitled1.pif
Type: application/octet-stream
Encoding: base64
All headers of the email:
Return-Path: <big@boss.com>
Delivered-To: xxxxx.com-xxxxx@xxxxx.com {My email address}
Received: (qmail 9437 invoked from network); 14 Feb 2003 08:04:15 -0000
Received: from m1.netfirms.com (HELO m5.netfirms.com) (66.48.76.114)
by m0.netfirms.com with SMTP; 14 Feb 2003 08:04:15 -0000
Received: (qmail 2305 invoked from network); 14 Feb 2003 08:04:09 -0000
Received: from node-c-5da1.a2000.nl (HELO T-0E909EFUDR5I7) (62.194.93.161)
by m5.netfirms.com with SMTP; 14 Feb 2003 08:04:09 -0000
From: <big@boss.com>
To: <xxxxx@xxxxx.com>
Subject: Re: Here is that sample
Date: Fri, 14 Feb 2003 9:04:00 +0100
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=“CSmtpMsgPart123X456_000_0AF374A1”
I went to ww2.hunter.com and searched for 62.194.93.161 and got this:
161.93.194.62.in-addr.arpa PTR node-c-5da1.a2000.nl
Did Google for a2000.nl and found UPC Nederland at www.a2000.nl . Couldn’t find a Dutch to Enlish web translater so I wrote an email to abuse@a2000.nl. I’m guess here that UPC Nederland is an ISP and the email originated from one of its dial-up customers.
Was my research correct? Is this enough? What else can I do?
Any suggestions for dissecting this program? How would I find out if it goes to IRC to report keystrokes or passwords? If it goes to IRC what can I do besides lurking in that room for the program author?