October 2002 BugBear virus

About September 30th a new network-aware virus started spreading on the Internet. It uses the MIME header exploit in IE to infect Windows machines direct from email (without showing an attachment), and subsequently attempts to spread via NetBIOS file sharing.

Around the same time the Opaserv-A worm started spreading rapidly, causing some confusion (to me, at least)

This virus forges both sender and return addresses. It is pointless to reply to the sender. The TRIUMF mailer trmail is now deleting this virus so you should not normally see it.
The virus finds an old mail message in a mail folder, combines the name and userid with a domain from another message, and uses that as the sender. It then sends itself automatically to other email addresses discovered in the folder and elsewhere.
Example: In the mail folder there are two messages:

From: Joe Blow <joe@triumf.ca>
Subject: magnet upgrade
..
From: Anton Fogg <anton@ubc.ca>
Subject: Re. magnet upgrade
The virus may send the following:
From: Joe Blow <joe@ubc.ca>
Subject: magnet upgrade
..
+virus attachment+
It may be possible to discover the infected machine from the full headers. E.g. (real message)
Return-Path: <joe@triumf.ca>
Received: from trmail.triumf.ca ([142.90.100.150])
   by lin01.triumf.ca (8.10.2/8.10.2) with ESMTP id g9PM57H06849
   for <fred@lin01.triumf.ca> Fri, 25 Oct 2002 15:05:07 -0700
Received: from triumf.ca (lin02.Triumf.CA [142.90.xx.yy])
   by trmail.triumf.ca (8.10.2/8.10.2) with ESMTP id g9PM57j05116
   for <fred@triumf.ca> Fri, 25 Oct 2002 15:05:07 -0700
Message-ID: <3DB9C012.B35004A7@triumf.ca>
In this case the originating machine is lin02 - the "from" address in the last (chronologically earliest) Received header.
(virus)
Return-Path: <joe@ubc.ca>
Received: from trmail.triumf.ca ([142.90.100.150])
   by lin01.triumf.ca (8.10.2/8.10.2) with ESMTP id g9PM57H06849
   for <fred@lin01.triumf.ca> Fri, 25 Oct 2002 15:05:07 -0700
Received: from yahoo.com (dorm23.sfu.ca [174.92.xx.yy])
   by trmail.triumf.ca (8.10.2/8.10.2) with ESMTP id g9PM57j05116
   for <fred@triumf.ca> Fri, 25 Oct 2002 15:05:07 -0700
Message-ID: <3DB9C012.B35004A7@triumf.ca>
In this case the infected machine is dorm23.sfu.ca. The only thing that can really be trusted is the [174.92.xx.yy] address inserted by trmail. The "yahoo.com" is clearly bogus and the "dorm23.sfu.ca" may be missing if the address does not resolve. This applies to spam,too - though occasionally a spammer will add bogus headers after the last real one.

Vendor Virus analysis:

Removal Tools Security Advisories:
Andrew Daviel, TRIUMF