[extropy-chat] Virus Detection 101 [was: application]

[Robert J. Bradbury]

On Mon, 26 Apr 2004, BillK wrote:

> On Sun Apr 25 11:49:16 MDT 2004 extropy at unreasonable.com wrote:
>
> > Please confirm the document.
> >
> > ++++ Attachment: No Virus found
> > ++++ Norman AntiVirus - www.norman.com
> >
>
> I saved the attachment document04.obj size 29,840 bytes to disk then
> scanned it [snip].

Ok folks VIRUS DETECTION 101:
a) Look at the size of the message -- if its between 30-45K bytes
it *probably* got a virus in it (you don't even have to run the
anti-virus software).

b) Ignore the "From:" line.  They can easily be forged.

c) Look at the message transmission log in the actual message source.
If your mail program can't display this go to the Javien Forum and
look at the actual messge "source" (bottom right hand corner of
the screen).

Look at the last "Received:" line in the message source.
It was received from what looks like a DSL or dial-up line at ...pooles.rima-tde.net
which translates to 81.33.36.216.

Then on a unix/linix system run a traceroute to 81.33.36.216.
(Under DOS shells you can usually use TRACERT).

It ends up getting routed to Virginia then the response times jump
and it looks like it is going overseas.  From the U.S. it gets
routed through ...red.telefonica-wholesale.net and then to
...pooles.rima-tde.net.  Given the jump in the response times
and the names involved my suspicion would be a user in perhaps
Spain or Italy (though Mexico isn't out of the question) [1].

My guess would be that its a corrupted PC.  There was an announcement
today I think by one of the SPAM black lists has completely
cut off blocks of IP addresses in Spain because they were
distributing so much SPAM.  That would be my guess at this time.

Robert

1. We need a utility that links IP addresses to countries -- I've
seen suggestions that there are Perl libraries and/or web sites
that provide this capability but I don't know what/where they are.