Sophos has published this page to provide helpful links to the very latest information about the W32/Sobig-F worm. Please bookmark this page and return often to see the very latest news and developments.
22:00 GMT, 22 Aug 2003 - Attack phase ends: Computers infected with W32/Sobig-F stop attempting to communicate with the remote IP addresses. Sophos's team of researchers will continue to monitor the situation over the weekend, and will update this page if there are any updates during Sunday's attack phase.
21:05 GMT, 22 Aug 2003 - Out of the 20 IP addresses referenced inside the code of the W32/Sobig-F worm, only one is currently responding. That IP address has been traced by Sophos researchers to Verona, New Jersey. However, there is no indication that the worm is successfully communicating with it and so no malicious downloads appear to be occurring. There is less than an hour to go before the worm will stop trying to download an update from the internet. Sophos's team of virus experts continues to monitor the situation.
20:09 GMT, 22 Aug 2003 - Sophos has received no reports from users who have downloaded new malicious content to their computers via the W32/Sobig-F worm. Sophos's team of virus experts continues to monitor the situation.
19:46 GMT, 22 Aug 2003 - Sophos reports that 400,000 instances of the W32/Sobig-F worm have attempted to break through its email system since midnight.
19:00 GMT, 22 Aug 2003 - Attack phase begins: Computers infected with W32/Sobig-F begin to attempt to communicate with the IP addresses encrypted inside the worm. Some of the IP addresses are no longer available, and there are unconfirmed reports that the FBI and Royal Canadian Mounted Police have assisted in having some computers disconnected from the web.
15:15 GMT, 22 Aug 2003 - Sophos experts advise network and system administrators on how they can take immediate action to prevent the worm from downloading potentially malicious updates from the internet.
11:45 GMT, 22 Aug 2003 - Sophos begins to contact the owners of IP addresses referenced inside the W32/Sobig-F worm. This involves contacting network administrators and computer owners in several countries including USA, Canada and Korea.
11:29 GMT, 22 Aug 2003 - Sophos warns that W32/Sobig-F is preparing to launch a second-wave attack by attempting to download code from the internet from 19:00-22:00 GMT (8pm-11pm UK time).
19 Aug 2003 - Sophos issues protection against the W32/Sobig-F worm. Enterprise Manager customers are automatically updated. Sophos MailMonitor for SMTP users who had deployed threat reduction technology were already protected.
W32/Sobig-F uses the Network Time Protocol (NTP) to access one of several servers in order to determine the current date and time.
If the time returned by the NTP server is between 19:00 and 22:00 UTC+0 (which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F sends a UDP packet to port 8998 of a remote server. This feature could be used to download and run a Trojan or additional worm components.
If the date is 10 September 2003 or later the worm stops working.
To prevent malicious code from being downloaded by W32/Sobig-F, Sophos strongly recommends that customers consider configuring company firewalls so outgoing connection attempts to UDP port 8998 are blocked.
Customer should consult their firewall documentation, or contact their firewall provider for assistance in implementing this configuration change.
Read information about how to disinfect the W32/Sobig-F and protect yourself against attack.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.