The W32/Sobig-B worm, which has been spreading via email and network shares since the early hours of this morning, has been programmed to fall dormant at the end of the month.
A close examination of the worm's code by Sophos virus researchers has discovered that the worm checks the date settings on infected computers. If the date is 31 May 2003 or later, the worm is configured to ignore the code that tells it to send itself to the email addresses found on the user's hard drive. It will also ignore the section of the code that tells it to search for attached network devices to infect.
"It's hard to deduce precisely why the virus author has done this - but it's not the first time we've seen a virus or worm have a built in 'self-destruct' routine," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "It's possible some virus writers include such code into their creations in the hope that if they are later caught by their authorities, it will show them in a better light."
Sophos, however, urges businesses not to wait for the virus to turn off its replication routines but take action now to avoid infection.
"Businesses can easily automate their anti-virus protection updates. This approach, combined with blocking executable code from entering the company at the email gateway, can dramatically reduce the chances of virus infection," continued Cluley.
The W32/Sobig-B worm distributes itself in the form of an email pretending to be from Microsoft.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.