The information I was referring to can be found in the "technical details" section of each virus' data sheet. For example, the following explanation of e-mail header spoofing can be found in the data sheet for the W32.Klez.H worm:
This worm often uses a technique known as "spoofing." When it performs its e-mail routine, it can use a randomly chosen address that it finds on an infected computer as the "From:" address. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else.
For example, Linda Anderson is using a computer that is infected with W32.Klez.H@mm. Linda is not using an antivirus program or does not have current virus definitions. When W32.Klez.H@mm performs its e-mailing routine, it finds the e-mail address of Harold Logan. It inserts Harold's e-mail address into the "From:" portion of an infected message that it then sends to Janet Bishop. Janet then contacts Harold and complains that he sent her an infected message, but when Harold scans his computer, Norton AntiVirus does not find anything--as would be expected--because his computer is not infected.
If you are using a current version of Norton AntiVirus and have the most recent virus definitions, and a full system scan with Norton AntiVirus set to scan all files does not find anything, you can be confident that your computer is not infected with this worm.
There have been several reports that, in some cases, if you receive a message that the virus has sent using its own SMTP engine, the message appears to be a "postmaster bounce message" from your own domain. For example, if your e-mail address is firstname.lastname@example.org, you could receive a message that appears to be from email@example.com, indicating that you attempted to send e-mail and the attempt failed. If this is the false message that is sent by the virus, the attachment includes the virus itself. Of course, such attachments should not be opened.
This was first published in June 2002