Sobig.F Virus Slows; New Wave Seen Possible

NEW YORK (Reuters) - The fast-spreading Sobig.F e-mail virus is slowing after failing in its initial bid to bog down the Internet, but security experts issued fresh warnings to computer users on Sunday to brace for a possible new wave.

Sobig.F, which first emerged on Monday, was programmed by an unknown creator to unleash a data attack at 3 p.m. EDT on Sunday. But with the trigger -- a computer program unwittingly installed on 20 poorly defended computers mostly in the United States and Canada -- deactivated on Friday, Sunday's attempt was expected to be a non-event, security experts said.

"We should all be OK," said Graham Cluley, senior technology consultant at UK-based Sophos Anti-Virus. An automated barrage planned for Friday was averted after government and security industry experts raced to diffuse the digital trigger that could have taken control of more than 100,000 infected computers and possibly crippled the Internet.

The number of infected computers worldwide fell dramatically from Saturday to Sunday, declining by one-third in the 24-hour period to 98,205 from 145,264, according to a virus map from anti-virus software maker Trend Micro.

North America had the highest number of zombie computers at 68,911, a one-day drop of 22 percent. Meanwhile, the number of infected computers in Europe declined by 51 percent to 26,727 machines. But from a smaller base, infections in Asia jumped 41 percent to 8,258, according to Tokyo-based
Trend Micro's site.

"Now, it's a case of a big clean up for (technicians) and learning a lesson for the next time there's an e-mail worm," Cluley said. The next time could be in weeks. SoBig.F is the sixth version of a virus that first appeared in January. Each one has been the stronger than the previous, security officials said.

SoBig.F is programmed to expire on Sept. 10. "We would expect to see the next one some time after September 10, not necessarily on September 11,
but within the ensuing weeks," Cluley said. The virus spreads when unsuspecting computer users open file attachments in e-mails that contain familiar headings like "Thank You!," and "Re: Details."

Once the file is opened, Sobig.F resends itself to e-mail addresses from the infected computer and signs the e-mail using a random name and address from the computer's address book. SoBig.F was released on a sex-oriented Internet discussion group on Monday, according to security experts and EasyNews.com, the Internet service provider that supplied the discussion group with Web access.

In the ensuing days it spread to hundreds of thousands of computers and sent out millions of virus-infected e-mails.