Experts Race to Beat Computer Worm

By Brian Krebs
Special to The Washington Post
Saturday, August 23, 2003

Computer-security experts working with law enforcement officials in the United States and Canada raced yesterday to contain the Sobig.F computer worm before it could launch a new attack as authorities reported progress on finding the source of the virus.

Security experts who cracked the worm's code late Thursday night found that Sobig instructed infected computers to try to contact one of 20 other computers yesterday afternoon to download new instructions -- to do what is as yet unknown. But the worm either failed to seek those instructions or it was thwarted from doing so when security experts disconnected 17 of the 20 targeted computers before the anticipated 3 p.m. attack.

The computer worm was one of at least three viruses that have brought corporate, personal and government computer networks to a crawl over the past two weeks.

The FBI served a grand jury subpoena yesterday on, a Phoenix-based Internet service provider whose network may have been used as a starting point for the Sobig worm.

The worm is thought to have been released originally on Usenet, a sort of Internet bulletin board, by someone who had an account at, according to Michael Minor, the company's co-owner. The account was paid for with a stolen credit card number and established minutes before the virus was released on the Internet on Monday, Minor said. He added that the company is cooperating with the FBI.

The account was apparently established from a computer in British Columbia, which experts said belongs to an unwitting home user whose computer appeared to be infected by a previous version of the virus. That version let Sobig's author seize control of the computer.

The virus was disguised on Usenet as a pornographic photograph in an adult news group, Minor said. People who clicked on the photo had their PC infected with the virus, which then began to e-mail itself to every address on the infected computer's e-mail address book.

FBI cyber division spokesman Bill Murray said the bureau and the Department of Homeland Security would do everything they could, including serving subpoenas, to track the source of the worm.

The Sobig.F worm, a variation of a virus that's been around since January, quickly spread out of control this month. America Online Inc., the world's largest online service, reported that nearly 60 percent of the 38 million attachments to e-mail messages that it filtered Thursday contained the Sobig.F virus.

Authorities hoped they had neutralized the worm by disconnecting most of the 20 targeted computers. But security experts did not know last night whether they really succeeded. The instructions in the worm's code orders it to try to connect to 20 computer addresses, assigned to home computers in Canada, South Korea and the United States, every Friday and Sunday from 3 to 6 p.m. until Sept. 10, when the worm expires.

Computer-security experts scrambled to get those computers unplugged from the Internet before 3 p.m. yesterday. When the appointed time came, all the virus did was download an address for an adult Web site from one of the three remaining computers, said Vincent Weaver, security director at Symantec Security Response.

But, just as this is the sixth version of the Sobig worm, there may be other variants that harbor other instructions.

CONTINUED     1        >

© 2003 The Washington Post Company