Internet service providers were urged on Monday to check their user traffic patterns to locate and shut down machines infected with the mass-mailing Sober worm.
Although Sober is no longer trying to replicate, antivirus company F-Secure believes ISPs must warn infected customers so they can disinfect themselves.
Infected PCs were programmed to download new instructions from the Internet last week, which would have heralded another attack. This update did not actually appear online, but infected machines are still trying to download it.
"ISPs: We urge you to check your user traffic patterns. Locate the users that produce an unlikely large amount of constant hits to people.freenet.de, scifi.pages.at, home.pages.at, free.pages.at and home.arcor.de. Contact these users and let them know they are likely to be infected with Sober and they should clean up their act," F-Secure said on its blog.
Computers infected by Sober are likely to contain spyware, or could have been turned into zombie PCs and used to send spam or launch denial-of-service attacks. They could also download a Sober update in the future, sparking another mass-mailing attack.
F-Secure said ISPs should let customers know they have been infected automatically, and redirect users to sites so they can disinfect their machines.
"Most affected computers belong to home users, who have no idea they've been infected. ISPs are in the best position to distinguish infected users," said Mikko Hypponen, director of antivirus research at F-Secure.
"Service providers can automatically shut down a user connection, and specify that to get back online users have to follow certain steps, for example, by visiting the Microsoft site for the latest updates. ISPs can automatically shut down what they want, and can still connect users to Microsoft," Hypponen said.
ISPs have an economic motive to inform users that their machines have been compromised, Hypponen argued.
"It might be hard for ISPs to find the motivation to do it, because it's a lot of work and a thankless job as no one wants to hear they are infected. However, ISPs are losing money because of the huge amounts of traffic generated by infected machines," Hypponen said.
But America Online said it would not be contacting consumers, as it put more emphasis on prevention of infection through e-mail filtering and blocking links to certain Web sites. People who had been infected had access to McAfee antivirus services, AOL said.
"We have on occasion made outbound contact with members in specific situations, such as the Mydoom worm, but have no plans to do so in this instance as we focus our efforts on prevention," said Jonathan Lambeth, director of communications for AOL UK.
"Our antispam systems, which block more than 1.5 billion spam e-mails each day, block a large number of e-mails containing links to the Sober virus in the first place," Lambeth added. "Links are default-disabled on e-mails within AOL to prevent casual clicking on rogue links, requiring a more positive action to click through, although this setting can be switched off if the user prefers."