Security experts block attack by a second Internet worm

The second attack in two weeks on Microsoft Windows users sputtered out yesterday when security experts stopped a malicious e-mail worm from spreading by identifying and blocking the computers that were key to keeping it moving.

Dubbed "Sobig.F" or "WORM SOBIG.F," the program managed to infect more than 100,000 machines before it was contained, according to the Internet Storm Center at the SANS Institute, an information security research and education organization with headquarters in Bethesda.


Experts had feared that the program could have deleted files, stolen passwords or created rogue e-mail servers for spreading junk mail. But in the end, all the worm did was visit a pornography site, said Vincent Weafer, a security director with Symantec Security Response in California.

"There is nothing malicious, just a standard sex site," he said.


Instructions written into the latest version of the Sobig worm called for infected Windows machines to try to download a program that, until the attack began at 3 p.m. yesterday, had an unknown function, experts said.

The program slowed or shut down electronic mail systems worldwide as it spread through e-mail with specially crafted attachments that said: "Details;" "Approved;" "Thank You!;" "That Movie;" or "Wicked screensaver."

Several businesses and universities were disrupted by Sobig this week, but experts said the worm did not physically damage computers, files or critical data. It did tie up computer and networking resources.

The Associated Press reported that the Sobig worm infected the computer system at freight carrier CSX Corp.'s Jacksonville, Fla., headquarters this week, shutting down signaling, dispatching and other systems.

Although it's unclear whether Sobig was to blame, The New York Times also asked employees at its headquarters yesterday to shut down their computers because of "system difficulties."

"It was stopped, but there is still a chance that the worm included a backdoor function that could allow it to update its list of servers," said Johannes Ullrich, chief technology officer at the Internet Storm Center at the SANS Institute.

"Now that the original computer servers were taken down to stop it from moving, it could move on to a new list to start moving again."

Symantec issued an advisory that said Sobig is randomly selecting addresses it finds on an infected computer, called e-mail spoofing. The program then sends the worm to others using those spoofed addresses, which means that the sender listed in the "from" field is most likely not the real sender.


"By doing that, it makes it seem like the e-mail is coming from someone you trust," Ullrich said. "It's an address you might recognize, which means you could be fooled into opening the attachment.

"It's a pretty sophisticated program that is moving very fast," Ullrich said. "It shuts itself off for awhile and then it returns in a different version. This is the sixth version of Sobig that we've seen since January. People suspect that whoever is sending it is trying to find out which sequence is the most effective way to infect computers."

Last week, the "LovSan" or "Blaster" worm, which spread itself automatically by infecting unprotected computers connected to the Internet, took advantage of a flaw in Windows operating systems to knock computer networks off-line around the world.

The recent version of Sobig first appeared Sunday. Affected systems are: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP.

The last day on which the worm will spread is Sept. 9. Symantec said the worm is expected to deactivate itself Sept. 10.

Symantec also suggested blocking inbound traffic on port 99x/udp and outbound traffic on port 8998/udp - the Internet openings the virus uses to communicate.


The Associated Press contributed to this article.