Although the download of a mystery program by the Windows e-mail worm Sobig.F, failed over the weekend, experts say another variant of Sobig may come sooner than expected.
Sobig.F is currently the most widespread worm in the world, and has created massive e-mail outages globally since it was found on August 18th. The worm spreads itself via infected e-mail attachments in e-mails with a spoofed sender address. The attack has infected close to 100 million e-mails to date. According to CNN, already the worm has caused an estimated $50 million of damage in the United States alone.
Sobig-F is programmed to download a program every Friday and Sunday, between 3 p.m. and 6 p.m. EDT, until Sept. 10. The worm is supposed to get a URL pointing to the program from one of 20 remote servers. Antivirus experts weren't able to ascertain what the downloaded program would do.
But the 20 servers weren't accessible over the weekend. Eighteen were taken down by ISPs. ISPs were also filtering UDP port 8998 traffic over the weekend. The worm used that port to access the remote servers. Blocking it wasn't a huge issue because there are not a lot of legitimate uses for that port.
It's not unusual for ISPs to filter certain kinds of traffic when threats are associated with them. For example, ISPs filtered port 135 traffic two weeks ago when Lovsan struck. They could only filter for a few days because companies had legitimate uses for that port, but it was enough to hamper the worm's progress.
In the case of port 8998, ISPs shouldn't have any problems filtering that port over the next couple of weeks, security officials have said.
For more information visitReuters page.
--Compiled by Esther Shein
Will Sobig Strike Again?
