This Windows based virus has found a way to affect those of us who do the work and keep our systems virus free. And just like a bio-virus, it uses our own virus defense mechanisms against us.
The virus fills the "from:" address in emails it sends out with names it finds in the infected machines.
Those with well-protected machines see the virus in the email and return it to the address in the "from:" field. But of course, that is just an address the virus found on the infected machine.
Often, it turns out to be your address. For example, because my email address is published on the web I'm getting a lot of this backwash.
- The infected machines will have my contact page in their web-caches.
- The virus will find it there, and place it in the "from:" field of its outgoing messages.
- Protected email systems that receive these messages will see the virus and send a warning to the address in that "from:" field. It does this to inform the sender that they have a virus.
- But since the virus spoofed the "from:" field, it is the wrong address.
I was getting 50-100/day of this W32.SoBig.f "backwash" at the peak, I'm down to about 20-30/day right now, though it might get worse now that it's Monday. Just a guess, since many infected office computers are being turned back on after the weekend off.
Interestingly, just like bio-viruses use the body's own defense mechanisms against it, so has this virus. In terms of lost time, most of the damage is caused by well-defended machines bouncing back warnings to the "from:" address. They do this for a good reason; to warn the sender that they have sent a virus, but in this case it is not the real sender.
What's needed, is a flag in the email filter's virus information file to say "The 'from:' field is not real in this virus, so don't bother to warn the sender".