Arizona Company Subpoenaed in Virus Attack



August 24, 2003
Tribune staff and wire reports

NEW YORK -- Security experts managed to avert a threatened Internet attack, while FBI agents subpoenaed an Arizona company for clues to the origins of a fast-spreading computer virus that slowed e-mail systems worldwide this week.

The virus, the "F" variant of "Sobig," contained instructions to launch an attack Friday afternoon, but experts were able to identify and block most of the key computers needed as accomplices.

Sobig was programmed to try again today, "but I think it's really mitigated," said Chris Rouland, vice president for research and development at Internet Security Systems Inc. "All the network operators are aware they need to block these [Internet addresses] now."

Although SoBig.F was still creating mischief, the flood of e-mails triggered by the virus appeared to be letting up as of Saturday, according to Pete Ashdown, president of Salt Lake City-based Xmission, one of Utah's oldest and largest Internet service providers.

"We haven't seen a lot of activity today," said Ashdown, who added that more Internet shenanigans may be likely in coming weeks.

"Wait until we see SoBig.G," he said.

Meanwhile, Easynews.com, a Phoenix provider of newsgroup services, said it had complied with a subpoena for information on an account used to distribute the virus. Easynews said the account appeared to have been created with a stolen credit card.

FBI spokesman Paul Bresson refused to comment, saying only that the agency was investigating.

Instructions written into Sobig, which has infected hundreds of thousands of Windows machines since Tuesday, called for those computers to try to download a program that, until the attack began, had an unknown function.

Experts feared the program could have deleted files, stolen passwords or created rogue e-mail servers for spreading junk e-mail.

But when the time came, all the virus did was visit a pornography site, said Vincent Weafer, security director with Symantec Security Response.

The attack began with the virus attempting to reach one of 20 computers, mostly in the United States and Canada, to obtain information needed to continue. Infected computers were programmed to keep trying every Friday and Sunday between 1 p.m. and 4 p.m. MDT.

Antivirus experts identified those computers.
-- -- --
On the Net:
Removal instructions: http://www.f-secure.com

http://www.sltrib.com/2003/Aug/08242003/utah/86600.asp