Lembre-se que o bugbear pode criar um from: baseado nos emails do computador infectado.

http://www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html

It then uses its own SMTP engine to send itself to all email addresses that it finds. The worm also can construct addresses for the “From:” field using information that it harvests from the infected computer. For example, the worm may find the addresses a@a.com, b@b.com and c@c.com. The worm could create an email message addressed to a@a.com and spoof the “From:” address, so that it appears to come from c@b.com. The spoofed address can also be a valid email address that the worm finds on the system.

Voce ainda tem os cabecalhos da mensagem? Com eles da para descobrir o IP de quem mandou a mensagem.