Antivirus Gurus Say Much-Feared Internet Attack Fizzles

The virus, the "F" variant of "Sobig," contained instructions to launch an attack Friday afternoon, but experts were able to identify and block most of the key computers needed as accomplices.

Sobig was programmed to try again Sunday, "but I think it's really mitigated," said Chris Rouland, vice president for research and development at Internet Security Systems. "All the network operators are aware they need to block these (Internet addresses) now."

Meanwhile, Easynews.com, a Phoenix provider of newsgroup services, said it had complied with a subpoena for information on an account used to distribute the virus. Easynews said the account appeared to have been created with a stolen credit card.

FBI spokesman Paul Bresson refused to comment, saying only that the agency was investigating.

Instructions written into Sobig, which has infected hundreds of thousands of Windows machines since Tuesday, called for those computers to try to download a program that, until the attack began, had an unknown function.

Experts feared the program could have deleted files, stolen passwords or created rogue e-mail servers for spreading junk e-mail.

But when the time came, all the virus did was visit a pornography site, said Vincent Weafer, security director with Symantec Security Response.

"There is nothing malicious," he said, "just a standard sex site."

The attack began with the virus attempting to reach one of 20 computers, mostly in the United States and Canada, to obtain information key to continuing. Infected computers were programmed to keep trying every Friday and Sunday between 3 p.m. and 6 p.m. EDT.

Antivirus experts identified those computers and, with the help of U.S. government officials, persuaded their Internet service providers to shut access to some of them.

Keynote Systems, which measures Internet performance, said the Net's main pipelines were holding up fine, but isolated congestion was possible because of higher-than-normal Internet traffic.

Mikko Hypponen, manager of antivirus research with F-Secure in Finland, said users should clean their computers using antivirus software - companies have issued free tools - or turn off machines if they cannot run the disinfecting software.

Users with firewall programs can also block UDP port 8998, the Internet opening the virus uses to communicate with the outside world. Experts say that doing so should have at most minor interference with other Internet functions and that many service providers were already blocking the port for their customers.

Already, Sobig has resulted in e-mail disruptions at several businesses, universities and other institutions. Sobig did not physically damage computers, files or critical data, but it tied up computer and networking resources.

The New York Times asked employees at its headquarters to shut down their computers for part of the afternoon Friday because of "computing system difficulties." Spokesman Toby Usnik declined to discuss whether a virus might be to blame, but said it did not stop Saturday's edition.

Users get the Sobig virus when they click on attachments to e-mail carrying such subject lines as "Details," "Approved" and "Thank you!"

One e-mail company, MessageLabs, has declared it the fastest e-mail infection ever. Symantec reported the spread as "steady" Friday.

The Sobig outbreak came just one week after a virus known as "LovSan" and "Blaster" took advantage of a flaw in the Windows operating system to clog computer networks around the world. The "Blaster" outbreak has started to subside, experts said.

Copyright © 2003 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.