Can anyone help identify where this virus cam from? Here's the email headers that came with it. It did not come from the "Return Path" address.

X-Apparently-To: finn209@yahoo.com via 216.109.117.232; Thu, 22 Jan 2004 14:44:00 -0800
X-YahooFilteredBulk: 216.153.232.109
Return-Path: <unit208@apex.net>
Received: from 216.153.232.109 (HELO test) (216.153.232.109)
by mta212.mail.scd.yahoo.com with SMTP; Thu, 22 Jan 2004 14:43:59 -0800
Date: Thu, 22 Jan 2004 17:34:38 -0600
To: Finn209@yahoo.com
Subject: Hi
From: unit208@apex.net
Message-ID: <hlqhcxvywielksxgkva@apex.net>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--------667012071327811"

Hello Jeff,
Apparently a brand new virus coming from Microsoft, easy to reconize by the "hello" coming in the subject ....
This is a trojan horse.....
Download and try this freeware:
Trojan Remover 6.15
Read well the "helpme" file in order to use the two scans of the program, one to check your memory RAM, second to hunt and eradicate the worm hidden in your hard drive.... Good luck

It's very difficult to tell where it comes from. It seems to com from this IP address - 216.153.232.109. But the headers can be spoofed also.

Whois Information from "whois.arin.net" about 216.153.232.109

OrgName: Choice One Communications Inc
OrgID: CHOC
Address: 100 Chestnut St.
City: Rochester
StateProv: NY
PostalCode: 14609
Country: US

NetRange: 216.153.128.0 - 216.153.255.255
CIDR: 216.153.128.0/17
NetName: CHOICE-1-COM
NetHandle: NET-216-153-128-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CHOICEONE.NET
NameServer: NS2.CHOICEONE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-01-12
Updated: 2001-06-06

TechHandle: ZC141-ARIN
TechName: Choice One Communications
TechPhone: +1-716-853-1331
TechEmail: IP@choiceonecom.com

OrgTechHandle: HOSTM34-ARIN
OrgTechName: hostmaster
OrgTechPhone: +1-716-853-1331
OrgTechEmail: ip@choiceonecom.com

It says from unit208@apex.net Apex.net seems to be part of earthlink. I don't know if that helps or not but that's about all that can be figured out from the headers, I think.

Domain Name.......... apex.net
Creation Date........ 1995-10-23
Registration Date.... 2003-03-30
Expiry Date.......... 2004-10-22
Organisation Name.... Earthlink, Inc.
Organisation Address. 1375 Peachtree St.
Organisation Address. Level A
Organisation Address. Atlanta
Organisation Address. 30309
Organisation Address. GA
Organisation Address. UNITED STATES

Thanks much for the info!

I did realize that it was the new virus. I never opened the attachment, nor got infected by it.

I was just curious as to who the sender was. The apex address was a fellow worker of mine, but I think that address was spoofed. I talked with him just 10 minutes after the time it was sent. He hadn't been on-line all day that day......and had just updated his virus protection on the day before.

Plus McAfee said that was a type of virus that does address spoofing.

I had been trying to learn how to trace email headers but not having much luck with it.

I thought that it had probably came from the CHOICEONE.NET in NY, but I wasn't for sure.

Would you happen to know where the virus gets the address that it uses to spoof with?

Was wondering if the spoofed address comes from the infected machine? Or if it was somehow able to spoof an address from my Outlook Express, even before I open the email?