Virus/Trojan possibly sending emails?

I got an email from my cousin that was obviously sent by a virus or a spammer. I wasn’t infected but I’m trying to help diagnose it with him. The email looked like this:

From: My Cousin
To: 50+ addresses from Cousins address book
Hotmail: Trusted email with powerful SPAM protection. Sign up now. 

I first suspected that it might just be a spoofer and that my cousin wasn’t actually infected (his name is ridiculously common) but when I noticed that the To: line was populated with real addresses that I recognize I deduced that it’s very likely a virus sent from his machine.

I haven’t gotten a response on what email client he uses but I’m assuming that if he checked it strictly on the web this type of attack wouldn’t be possible, correct?

Mostly I’m hoping you guys have seen a virus like this in action and can help direct me to a solution that I can pass along. Some quick Googling on my part hasn’t really revealed anything helpful. I know I’ve received similar messages in the past so odds are that it’s a fairly common infection.

Anyone have any ideas on how to solve it? Presumably if his machine is infected simply changing his email won’t do any good.

    • Actual link greeked so I’m not helping the scumbag out here.

Ask your cousin to follow the instructions in this thread:

How to protect and clean your computer from malware

Yeah, that thread is a bit of a scorched earth method that is probably beyond the scope of what I can help with via email. I was hoping there’s a starting point to be found by simply identifying what virus it probably is.

It’s more likely the login credentials were compromised (possibly through malware on the computer) and it’s some botnet somewhere using the account rather than malware using the computer to spam directly.

No, it’s really not overkill. Fixing a single virus is like killing the only cockroach you manage to see. There are certainly others in the house and many more can get inside at will. Installing AVG takes 10-15 minutes, just point him at that for a start.

Keep in mind that places like Hotmail are very well protected by now against spam being sent out.

The most common spam viruses turn your personal computer into its own email sender. They attempt to send on port 25. It’s easy, if you look up the sequence of text commands you can do it manually (I ahve often to test mail servers). TELNET <ip addr> 25 gets you out on port 25. Then do the HELO, MAIL TO, RCPT FROM, and DATA commands. So it’s trivial for a small program to spoof this.

Some ISPs will block port 25 traffic except to/from their email server, for just this reason. Most big companies block port 25 on the firewall for except their own mail servers.

Then the virus will look for existing mail and compose emails to all of the recipeints. they can farm stored email in various formats, your address book, etc. Most such viruses nowadays are “botnets”; the infected machines represent zombies that can relay spam from a hidden central control machine. They can also relay any discovered addresses back to be added to the database.

Usually, if you dig into the hearder of the email (in Outlook express, properties of email, show source) you can see exactly where the email came from, not where it claims to come from. There’s a series of email relays, and somewhere in the chain is a disconnect between what it was supposed to come from and the ip address it really came from.

What in the header would indicate that it was sent from a botnet? I opened the message I received and I can’t tell what is and isn’t supposed to be there.

He had Norton installed. He’s run lots of virus scans already. He recently upgraded to Windows 7 so I’m thinking reinstalling from scratch would be the quickest fix.

I did a reverse lookup on the Originating IP in the header of the suspect email and it traces back to Brazil. Can these be spoofed in an email header or does that info come straight from Microsoft (I use Hotmail)? Does that indicate that his address was somehow spoofed there?

The chain of mail relay sites could be partially fictional. If so, there will be a discrepancy between when it was sent to and then sent forward from, somewhere between your email server and the beginning.

Nothing would really indicate it came from a botnet, other than it is spam. Most large email sites collaborate to pinpoint spam sources and blacklist them; so most large sites also make an effort not to become labelled as sources of spam.

There are some simple freelance (not botnet) spam viruses; one particularly funny one would randomly email out selections from My Documents, so your wisdom could be imparted to the world, private or not.