The SoBig virus propagates through e-mail, and takes the form of a mass e-mailing from an infected machine. The virus is contained in a .pif or .scr file attached to the e-mail. But too many users open these attachments.
The e-mails generated by the virus use the signatures of legitimate addresses in an infected computer's address book, making it difficult for recipients to tell whether the e-mail is genuine or not. The subject lines of the e-mail are fairly easy to spot though – such as Re: Approved, Re: Thank you! and Re: Your application.
The virus was released on Monday through a pornography news group. According to Reuters the virus was contained in a pornographic picture. It infected machines as soon as the picture had been opened. The virus then began to replicate itself through e-mail.
Events took a twist on Thursday, however, when experts realised that hidden within the worm was an instruction for all infected computers to contact twenty specified internet addresses between 7 pm and 10 pm on Friday – to obtain further instructions.
The fear was that the worm would be ordered to use all infected machines to launch denial of service attacks, where servers are so overloaded by requests that they cannot function.
ISPs raced against time to identify the twenty computers that would be issuing attack instructions. By 7pm on Friday they had managed to shut down at least seventeen of the twenty computers, stopping the attack.
The virus was instructed to repeat the process on Sunday, but with the computers off-line, the threat did not materialise.
The FBI has also become involved, issuing a subpoena to ISP Easynews.com. The ISP's chief technology officer, Michael Minor, told Reuters, "It looks like the original variant was posted through us to Usenet on the 18th [August]".
The FBI are looking to trace the origin of the worm through Easynews.com.
Experts predict that it is only a matter of time before the next version of the virus is released, although not until after the expiry date of SoBig.F, on 10th September. Graham Cluley, senior technology consultant Sophos Anti-Virus told Reuters, "We would expect to see the next one some time after September 10th, not necessarily on September 11th, but within the ensuing weeks."