Sobig lingers despite shutdown date

The e-mail virus is the third most active virus in November, two months after it was supposed to have terminated itself.

Graeme Wearden Special to CNET News.com

See full bio

Graeme Wearden

Dec. 1, 2003 10:59 a.m. PT

2 min read

Sobig is still rampaging around the Internet, two months after the virus was supposed to have terminated itself.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

E-mail security firm MessageLabs said Friday that Sobig was the third most active virus in November, with some 264,000 copies being detected by its e-mail virus-scanning servers.

Although this activity is well below the virus's peak, it is still surprising as Sobig--like several other members of the Sobig family--contained a built-in shutdown date that was supposed to prevent it propagating after Sept. 10. Sobig.F's continued proliferation is due to a combination of factors, including the successful efforts that prevented it wreaking even more havoc and the fact that many PCs are set to the wrong date, according to MessageLabs.

The first Sobig virus appeared in January and was followed by many variants. Sobig.F was first detected on Aug. 19. It propagated by e-mail and caused massive disruption to corporate networks, but its real purpose was to take over computers.

Once infected by Sobig, a PC would periodically link to 20 Web servers that had been individually hacked by the virus author and try to download a file. Some experts believe this downloaded code could have precipitated a massive denial-of-service attack, but this was foiled because the compromised servers were taken offline in time.



		Special report A 20-year plague Decades after creation, viruses defy cure.

MessageLabs said that this may have prevented some copies of Sobig.F from terminating themselves. "The plug was pulled on the target servers before the PCs that were infected by Sobig could download the final bit of code," said Paul Wood, principal information security analyst at MessageLabs. "Once that file had been downloaded and the PC was at the final stage, they would have stopped propagating more copies of Sobig.F to avoid anyone spotting the fact that they'd already been compromised." Instead, Wood said, PCs infected with Sobig.F are still spreading the virus and aren't checking the date.

Because of the built-in shutoff mechanism, a PC receiving a copy of Sobig today should not try to forward it on. But another factor behind Sobig's longevity could be that some PCs are set to the incorrect date. While networked PCs will typically take their date and time from a central server, home PCs are reliant on their internal clock and the small battery that powers it.

If the battery runs down and isn't replaced, a computer will not know the correct date or time. According to MessageLabs, many such PCs are out there, connected to the Web, being infected with Sobig by computers that were compromised back in August and haven't switched their virus activity off. It is these PCs that are pumping out more copies.

Graeme Wearden of ZDNet UK reported from London.