Sobig.F lingers as cure backfires

One of the IT sector's biggest threats in 2003 is still out there. The blame lies partly with PCs that don't know the time, but also with action that was taken to minimise damage done by the worm

Sobig.F is still rampaging around the Internet, two months after the virus was supposed to have terminated itself.

Email security firm MessageLabs said on Friday that Sobig.F was the third most active virus in November, with some 264,000 copies being detected by its email virus-scanning servers.

Although this activity is well below the virus's peak, it is still surprising as Sobig.F -- like several other members of the Sobig family -- contained a built-in shutdown date that was supposed to prevent it propagating after 10 September. According to MessageLabs, Sobig.F's continued proliferation is due to a combination of factors, including the successful efforts that prevented it wreaking even more havoc and the fact that many PCs are set to the wrong date.

The first Sobig virus appeared in January 2003, and was followed by many variants. Sobig.F was first detected on 19th August. It propagated by email, and caused massive disruption to corporate networks, but its real purpose was to take over computers.

Once infected by Sobig.F, a PC would periodically link to 20 Web servers that has been individually hacked by the virus author, and try to download a file. Some experts believe this downloaded code could have precipitated a massive denial-of-service attack, but this was foiled because the compromised servers were taken offline in time.

MessageLabs believes that this may have prevented some copies of Sobig.F from terminating themselves. "The plug was pulled on the target servers before the PCs that were infected by Sobig.F could download the final bit of code," said Paul Wood, principal information security analyst at MessageLabs. "Once that file had been downloaded and the PC was at the final stage, they would have stopped propagating more copies of Sobig.F to avoid anyone spotting the fact that they'd already been compromised." Instead, Wood believes, PCs infected with Sobig.F are still spreading the virus and aren't checking the date.

Because of the built-in shutoff mechanism, a PC receiving a copy of Sobig.F today should not try to forward it on. But another factor behind Sobig.F's longevity could be that some PCs are set to the incorrect date. While networked PCs will typically take their date and time from a central server, home PCs are reliant on their internal clock and the small battery that powers it.

If the battery runs down and isn't replaced, a computer will not know the correct date or time. According to MessageLabs, many such PCs are out there, connected to the Web, being infected with Sobig.F by computers that were compromised back in August and haven't switched their virus activity off. It is these PCs that are pumping out more copies.