A SoBig surprise this afternoon?

A SoBig surprise this afternoon?

The SoBig.F worm that infected hundreds of thousands of computers around the world this week apparently carries an encrypted payload set to activate this afternoon. What the results will be, however, experts cannot say.

'Unfortunately, we don't know what this thing will be that is set to be downloaded,' said Dee Liebenstein, group product manager for Symantec Security Response, a part of Symantec Corp. of Cupertino, Calif. 'That is a mystery to us.'

The worms are set to synchronize themselves from a central time source and execute the payload code at 3 p.m. Eastern time, noon Pacific time. Each worm will contact one of 20 computers in the United States, Canada and South Korea and receive a Web address from which infected computers will download and run a program.

'These 20 machines seem to be typical home PCs, connected to the Internet with always-on digital subscriber line connections,' said Mikko Hypponen, director of antivirus research at F-Secure Corp. of Finland. 'Most likely, the party behind SoBig.F has broken into these computers, and they are now being misused.'

Hypponen said that although the worm's payload has been decrypted, researchers have not been able to find the target Web address and examine the program to be downloaded.

'There are efforts underway to shut down these master servers,' Liebenstein said.

Because the infected computers are widely distributed geographically and it is not known what functions they are performing, shutting them down is not simple.

Representatives of the Homeland Security Department and the CERT Coordination Center at Carnegie Mellon University were not available for comment.

Although SoBig.F is generating huge volumes of unwanted e-mail and clogging networks in its effort to spread, infection has not been unusually rapid or widespread. Liebenstein said.

At the peak of the Klez.H worm outbreak, Symantec received 4,516 infection reports on one day. BugBear.B generated 4,812 submissions on one day. 'SoBig has peaked at 1,800 submissions per day,' Liebenstein said. 'It's creating a lot of e-mail, but we're not seeing as many submissions.'

Symantec offers a free scanning tool to determine whether a computer is infected by SoBig, and a free tool to clean infected machines.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected