Sobig Virus to Drop Payload As Early as Noon Today

The fast-spreading computer virus already blamed for slowing or shutting down e-mail systems worldwide was programmed to coordinate a new type of attack, antivirus experts said Friday.

Instructions written into the latest version of the “Sobig” virus, which began appearing Tuesday, called for infected Windows machines to try to download a program of unknown function as early as 12 p.m. Friday.

“It could be a game, and all these computers would start playing a game, or it could be a destructive program that immediately deletes files,” said Mikko Hypponen, manager of antivirus research with F-Secure Corp. in Finland.

Such a program might also attempt to steal passwords or create rogue e-mail servers for spreading junk e-mail, Hypponen said.

He said users should clean their computers using antivirus software _ antivirus companies have issued free tools to do so _ or turn off machines if they cannot run the disinfecting software.

Users with firewall programs can also block UDP port 8998, which is the Internet opening the virus uses to communicate with the outside world.

The attack was expected to end at 3 p.m., though the virus would try again every Friday and Sunday between 12 p.m. and 3 p.m.

Already, Sobig has resulted in e-mail disruptions at several businesses, universities and other institutions. In its early days, Sobig did not physically damage computers, files or critical data, but it tied up computer and networking resources.

Users get the virus when they click on attachments to e-mail carrying such subject lines as “Details,””Approved” and “Thank you!”

One e-mail company, MessageLabs Inc., has declared it the fastest e-mail infection ever.

“It´s bad enough that … a lot of e-mail systems got affected,” said Chris Belthoff, senior security analyst with Sophos Inc. in Lynnfield, Mass. “But in the code of the virus itself is a routine.”

The new attack was expected to begin with the virus reaching one of at least 20 computers around the world to obtain information key to continuing. Security officials were working on trying to find those computers and shutting them down.

Internet addresses written into the virus point to those computers being home machines connected through broadband services like cable or DSL, said Chris Rouland, vice president for research and development at Internet Security Systems Inc. It was unlikely the machines´ owners knew that they were picked as accomplices, he said.

The Sobig outbreak came just one week after a virus known as “LovSan” and “Blaster” took advantage of a flaw in the Windows operating system to clog computer networks around the world. The “Blaster” outbreak has started to subside, Belthoff said.

Removal instructions can be found at http://www.f-secure.com