Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Where are these viruses coming from?

Today I got a message that I had received two Emails in my box with
a virus … But where [do they] come from?

There’s no 100% reliable way to tell who really sent you the virus.
The only thing that’s likely is that your email address or the address
of an email list you are a member of is contained in an address book
on the machine that sent it to you, and that that machine is a Windows
machine. As to who’s machine that might be, you can get clues from
the more detailed email headers that you typically don’t see, but even
then it’s often difficult to tell.

Become a Patron of Ask Leo! and go ad-free!

This virus and many recent viruses work by emailing a copy to
everyone it finds in the address books it finds on infected machines.
It also spoofs, or fakes, the “From:” address, to hide where the email
is coming from. It looks like this virus uses only certain “from”
addresses, but others will actually use other addresses found in the
infected machines address book.

“From spoofing” is a little confusing so let’s whip up an example.

Peter has both Paul and Mary in his email address book. Paul and
Mary do not know each other and have never emailed each other.
Unfortunately, Peter’s computer becomes infected with one of the
viruses we’re talking about. The virus starts emailing itself to
everyone in Peter’s address book and also uses the address book to make
fake “from” addresses. As a result, Peter’s computer sends email to
Mary that looks like it’s “from” Paul, even though Paul had
nothing whatsoever to do with it. If Mary believes the “from” address,
she may get upset with Paul for “sending” her the virus but her anger
is misplaced – it’s Peter’s machine that’s infected.

If we take a look at the email header information that comes with
each email message, we may be able to track the source a little
better. The header information I’m talking about is information that
many email clients don’t show you by default. As an email message gets
passed from computer to computer each will add a informational line to
the header saying when the message was received and from what IP
address. The first of those should be from the machine that sent the
email in the first place.

Unfortunately it’s not always that simple. For example a broadband
router, firewall, or proxy server can mask a machine’s address on the
internet. In addition, some of the virii take steps to obscure or spoof
the header information.

Outlook and Outlook express are both common mailers as well as
common virus targets that hide the headers by default. If you want to
have a look at the headers I’m talking about:

Outlook: Right click on the message in the message list and
select Options. In the default pain of the options dialog is a box
labeled “Internet Headers”. The box is almost always smaller than the
accumulated header information, so you may want to copy/paste the
headers into notepad to view.

Outlook Express: Right click on the message in the message list and
select Properties and then on the “Details” tab. The details tab
contains the internet headers.

The headers are not meant to be pretty or easy to understand but
typically the last “received from” line will tell you the IP address
and possibly the machine name that the mail may have originated
from. In our example above, it may be easy to identify Peter’s machine by
his IP address or his machine name … or that information may still be

The virus that triggered this question was w32.sober@mm, which you
can read more about here at Symantec’s site.
(They’re my recommended virus reference site.)

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

4 comments on “Where are these viruses coming from?”

  1. What’s the cure? I’ve already run my virus updates and virus checker – it found absolutely nothing! But all my email contacts are getting being used all over with these fake attachments. Is there any way to protext your address book from being seen by the hackers? Yes, I do have a Norton Personal Firewall and it is set from medium to high depending on where I’m surfing.



  2. Also make sure your email program is fully up-to-date with its latest patches. You didn’t say what you’re using, but Outlook and Outlook express are the normal targets for these viruses. Outlook can be updated at Office Update, and Outlook Express gets updated via Windows Update, both at

    Also know that you didn’t need to have the virus to have your email address be abused. I’ve never been infected with an email virus, and yet I get bounces because of the MyDoom and related viruses all the time. This happens because of SPAM lists, your address in other people’s address books (where *they* get infected), and some varients of the virus that even spread the addresses around as they infect, or so I’m told.

    It really sucks.

    This article may also help explain:



  3. I have scanned all workstations and havent been able to track down the W32.Sober@MM virus. I’m still not sure if our company has the virus since no one claims that they have actually opened the attachment but we are still receiving alot of the W32.Sober@MM emails in our Outlook Inbox. Any idea on how to stop receiving the W32.Sober@MM emails?



  4. Brad,
    Do you use Fortinet? It strips all the infected messages of the virus and simply leaves a text file telling you the malicious file is gone and why. It is probably the best email virus scanner for offices.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.