How easy or difficult is it to determine the actual system that is sending me the sobig virus?

I am not concerned about being infected, especially since my ISP is removing the worm from my email. My antivirus software also protects me. However I have received a total of nearly 400 messages and I think most of them are from the same system. So it is not critical that I notify them but I will make an attempt to if I can.

Based on the spoofed email addresses in the "From" header, I get the impression it might be a CodeGuru member. The messages seem to be being sent from a system in India, since the timezone of the messages sent is UTC+05:30. I know that they are not being sent from the same system but probably all or most all from India are from one system.

I have used the SamSpade.org (http://samspade.org) utility to analyze some of the messages but I don't know what is valid and what is not valid. I am hoping someone knows someplace that has information about this specific worm that explains how to analyze the headers.

I'm not exactly sure, but from what I've read about Sobig, I think it uses its own SMTP engine. This would usually mean that if the email doesn't go through an anonymous remailer (which I think it doesn't), the IP address of the originating host should be correct.

In the email source, you can view this information in the "Recieved" field. There is a list of SMTP servers through which the message has passed and the last of these should be the infected machine. Of course, you only get the IP address and that probably doesn't help you further unless it's static and it's from someone you also exchange regular email with.

For example, this tells me though that the 20 instances of the virus I recieved all came from the same computer. Actually, something strange... They all seem to be coming from Iran. I didn't realize that I knew people there ;)

There are a few CodeGuru members in Iran.

Okay, most all (probably all) such messages I am receiving lately have as the last "Received" header something such as the following two (these are from two different messages):
Received: from GEONAVNET ([202.63.113.42])
by lamx01.mgw.rr.com (8.12.8p1/8.12.8) with ESMTP id h7PKVRAe016822 for
<Samuel@Socal.rr.com>; Mon, 25 Aug 2003 16:31:29 -0400 (EDT)

Received: from GEONAVNET ([202.63.113.42])
by lamx01.mgw.rr.com (8.12.8p1/8.12.8) with ESMTP id h7PI14Ae008286 for
<Samuel@Socal.rr.com>; Mon, 25 Aug 2003 14:01:06 -0400 (EDT)
The "Date" header is something such as:Date: Mon, 25 Aug 2003 23:31:30 +0530Which is where I get the UTC+0530 timezone from. The 202.63.113.42 address I have been seeing a lot lately. The messages seem very consistent in having that address. So yesterday I did a whois using APNIC (http://www.apnic.net) and found it to be "Southern Online Services" in India. I sent a message to someone (I think the technical contact) but I have not heard from them.

When I wrote this post today I was confused and forgot that I had sent that message about that IP address. So do you suppose that is the IP address of the infected machine?

Most likely yes. But that doesn't help. And writing an email to the person listed in WHOIS is not really a good idea. If it is a telecoms company, they probably have some 10 thousand users upwards. Now say that 1 in a 100 is infected, which would mean 100 infected machines. Each machine is sending out 10K emails a day. Now imagine the poor tech contact getting swamped in other internet users complaining that there is one of their clients that has an infected machine. If he gets only a hundred of these each day, he's lucky. And what can (or more to the point, will) he do about it ?

A part of the virus' problem is the additional traffic it generates. Pointing out a compromise machine is still OK by any standard, but in addition to the instances of the virus, I recieved something like 50 auto-generated emails from companies' (or universities') email servers that the message I had tried to send to one of their users (the virus sending them out as me, spoofing the From: field, of course) could not reach the user. It's just plain annoying.

I think many security experts would consider it to be a good thing to annoy the ISPs providing internet services to infected machines. Plenty of people think that there is far too little being done. I know that many security specialists are very annoyed that people don't fix their systems and allow them to be infected and to remain infected.

The email address listed in WHOIS is there for this purpose.

It has gotten to the point that people have been suggesting development of a good worm to go around to fix things. Of course this is highly controversial and many consider it to be a bad thing. Yes, there is actually a version of the sobig virus that is supposedly a good worm; the "D" version. Of course it might not actually be good.

Yes, I am totally familiar with the messages from mail daemons accusing me of sending the virus. I know I have received over 20 and I think it is nearly certain that I have also received over 50 of them. I have responded to a few. Their messages tell me to check my system and I reply by saying they need to check their system. They are the ones in error. We know that this worm always uses the wrong "From" address, and that is evidently what they are using when they say we sent it.