In last few days, our AntiViurs program for Domino caught over 1,000 emails with Fizzer virus. According the scanning history, all clients and servers are clean. However, I notice that about 50 caught emails were sent by a left staff. His name and mail file have been removed from our address book over one year so it seems not possible for our pcs to get inflected with Fizzer virus. Is it really possible that one of our business partners has got inflected and sent the inflected emails to us? Any experience in this kind?
Thanks,
Ray
Subject: Re: Fizzer virus
Ray,
I think you’ll find that this virus is one of many which has the ability to spoof the reply address of the sender.
This means (in theory) an infected PC (which you have no control over) has an (outdated) address book entry for your departed employee. The virus sees this entry and re-sends itself to many other people also in the address book, but creates a reply address which makes it appear that the infected message comes from your old employee.
Another company receives the infected message supposedly from your old employee and detects the infection, so they send a message to your old employee to alert him to the virus infection.
See how this becomes confusing? Look at the message headers and you might be able to see the domain which first routed the infected message. This might give a clue as to who REALLY has the infected machine.
Check out this link from Symantec on the subject:
http://service1.symantec.com/support/ent-security.nsf/docid/2002102416271448