The IP of the virus’s origin will be in the full headers of the message. Here’s a good link on how to get most mail clients to reveal full headers:
What you want to find is the first line that hits our mail server, like this example:
Received: from example.com (somehost.example.com [10.3.4.1])
by [mailserver].dreamhost.com (Postfix) with ESMTP id DAFDB5B879
for <email@example.com>; Mon, 10 May 2004 16:01:05 -0700 (PDT)
The IP in the brackets is the only thing you want to look at here, so in this case, 10.3.4.1 is the message’s origin. You can then use a whois interface (the one at geektools.com may be the easiest to use for someone who doesn’t have a lot of experience guessing which RIR a particular IP address will correspond to) to determine the organiztion that this IP was allocated to.