Sobig Scheduled To Download Trojan Friday

The payload, called a "Trojan horse," is set to be sent at noon PST from 20 computers that appear to be typical home PCs with always-on, DSL connections. "Most likely the party behind Sobig.F has broken into these computers and they are now being misused to be part of this attack," Mikko Hypponen, director of research at anti-virus company F-Secure, said in a statement.

Keith Peer, chief executive and president competitor Central Command, said the company had found the Internet protocol (IP) address of the 20 computers hard-coded in the virus, and the company was asking the Internet service providers for those addresses to try to shut them down.

"We don't have a clue about what it will download," Peer said. "It could be a spam relay, it could launch a denial of service attack on someone, or it could do nothing."

While it's not unusual for viruses to download components, Sobig.F, the fifth variant of the original virus sent in January, is exceptional in that it has spread at a record rate, infecting hundreds of thousands or possibly millions of machines globally.

Security company Symantec Corp. upgraded Sobig Friday to a level 4 threat, one notch below the company's highest rating. The upgrade followed the discovery of the Trojan.

Symantec was receiving 1,800, Sobig-infected emails a day from customers.

Sobig.F, discovered Tuesday, has clogged home email boxes and slowed down corporate networks with millions of messages carrying the malevolent payload. MessageLabs Inc., which filters corporate emails, had intercepted more than 3 million messages carrying the virus as of Thursday.

When an unsuspecting computer user executes the Sobig email attachment, the virus opens a "back door" on a Windows PC, allowing a hacker to take control of the machine or have the virus steal passwords and send them to the virus writer. Such viruses are called worms.

Experts have speculated that Sobig.F is setting up computers to become spam generators. Spammers often use the machines of others to relay spam throughout the Internet. Such activity can occur undetected by the computer's owner.

Previous variants of Sobig have directed computers to install "Wingate" proxies capable of forwarding junk e-mail at the direction of the spammer. Computer owners are unaware their machine has become a spam generator, because the proxies often remain intact even after anti-virus software removes the original virus.

This story courtesy of TechWeb