The Race To Stop 'Sobig' Virus
A fast-spreading computer virus already blamed for slowing or shutting down e-mail systems worldwide was programmed to coordinate a new type of attack, antivirus experts said Friday.
Instructions written into the "Sobig" virus, which began appearing Tuesday, call for infected machines running Microsoft Windows to try to download a program of unknown function as early as 3 p.m. ET Friday.
"It could be a game, and all these computers would start playing a game, or it could be a destructive program that immediately deletes files," said Mikko Hypponen, manager of antivirus research with F-Secure Corp. in Finland.
It also might attempt to steal passwords or create rogue e-mail servers for spreading junk e-mail, Hypponen said.
He suggested users clean their computers with antivirus software or turn off machines if they can't run the disinfecting programs. Users with firewall programs could also block UDP port 8998, the Internet opening the virus uses to communicate.
The attack was expected to end at 6 p.m., though the virus is programmed to try again every Friday and Sunday between 3 p.m. and 6 p.m.
Already, Sobig had resulted in e-mail disruptions at several businesses and universities. It didn't physically damage computers, files or critical data, but it tied up computer and networking resources.
One e-mail company, MessageLabs Inc., declared it the fastest e-mail infection yet. The company says one out of every 17 e-mail messages it scanned was infected with the virus.
How can you tell if Sobig.F has come to call on you?
Subject lines for Sobig.F include: "Re:Details," "Re: Approved," "Re: Re: My details," "Re: Thank you!", "Re: That movie," "Re: Wicked screensaver," "Re: Your application," "Thank you!", and "Your details."
The message is likely to say: "See the attached file for details" or "Please see the attached file for details."
Attached files are likely to be: "your_document.pif," "document_all.pif," "thank_you.pif," "your_details.pif," "details.pif," "document_9446.pif," "application.pif," "wicked_scr.scr," or "movie0045.pif."
As is the case with many computer viruses, the trouble is unleashed if a recipient clicks on the attached file, at which point the computer will become infected.
Sobig.F sends itself out to names found in its victim's address books and will use one of these names to forge a return address. As such, the infected party may not quickly learn of the infection, while an innocent party may get the blame for helping to propagate it.
The Sobig outbreak came just one week after a virus known as "LovSan" or "Blaster" took advantage of a flaw in the Windows operating system to clog computer networks around the world.
The "Blaster" outbreak has started to subside, said Chris Belthoff, senior security analyst with Sophos Inc. in Lynnfield, Mass.