Fast-Moving Virus Slams E-Mail SystemsFast-Moving Virus Slams E-Mail Systems

An Internet virus know as Sobig last week generated E-mail traffic volumes of historic levels, slowing E-mail servers and flooding the in-boxes of computers in homes and offices around the world. At the same time, the Blaster worm, which was launched the week before, caused big problems, invading the systems of railroad company CSX Corp. and causing train delays on the East Coast.

The Sobig virus was first launched a year ago as both a worm and a virus. The version that hit last week, known as W32.SobigF@mm, is the sixth to threaten systems. It lodges in unprotected computers, rifling hard drives for E-mail addresses in document files, cached Web pages, and Microsoft Outlook Express databases.

Sobig also worked through LANs and business networks, reading drives on shared storage volumes and file servers to find hiding spots for the worm and more E-mail addresses with which to propagate itself. That's one reason it was so hard to contain.

Postini Inc., an E-mail-management and screening company, intercepted 1.9 million Sobig-generated E-mails intended for its customers on Aug. 19 and 3.5 million the next day. The company processes 100 million messages every 24 hours. "I've never seen a virus blow into the millions so quickly," says Scott Petry, VP of engineering. "It's bigger than Klez."

Part of Sobig's success can be attributed to text it inserts into a message it generates. The line says, "X-Scanner: Found to be clean." Sobig puts the text in a header that is typically examined by Mail Scanner, an open-source spam and virus-screening application that Internet service providers use, notes Neel Mehta, a member of the virus-research team at Internet Security Systems Inc. The move appears to be fooling some anti-virus applications, helping Sobig spread, he says.

Many businesses moved swiftly to block the virus. "Large companies were typically very quick," says Vincent Weafer, senior director of the security-response team at Symantec Corp. The virus spread primarily by penetrating small businesses and home users who were behind in updating their protection.

In most cases, Sobig didn't cause permanent damage. The virus' maker has scheduled it to end activity Sept. 10. But some experts believe a new variant will show up soon after that, and they fear the current version is creating holes or backdoors to make it easier for the next version to infect computers.

"A massive army [of infected computers] created by Sobig.F could be used to launch an all-out attack on larger Internet infrastructures," such as a distributed denial-of-service attack on particular Web sites, says Steven Sundermeir, VP of services at Central Command Inc., an antivirus software maker. Sobig variants have appeared regularly at intervals of three to four weeks.

Meanwhile, the Blaster worm continued to create problems. Portions of CSX Transportation's 23,000-mile rail network in the East and Southeast were brought to a halt when Blaster hit its computer systems early on Aug. 20, causing delays in train scheduling and disrupting dispatching and telecommunications to rail signals. The disruption delayed Amtrak's Washington, D.C., commuter trains by two hours as they waited for CSX traffic to clear the tracks.

Photo courtesy of Zuma Press