(New Scientist) Anti-virus companies were racing against time on Friday to block a sting in the tail of the SoBig.F virus. The computer virus has broken all records for the number and prevalence of infections since its appearance on Monday.

Experts analysing the virus’s code discovered that, at 1900 GMT on Friday, machines infected by the virus would connect via the internet to any one of 20 computers for instructions to download an as-yet-unknown program. This could do anything from displaying a harmless message on users’ screens, to wiping entire hard disks.

At 1500 GMT, Mikko Hypponen, director of anti-virus research at F-Secure, told New Scientist that 18 of the 20 internet addresses his company had identified in the virus had been blocked. “But if even one machine remains online at the deadline, anything could happen,” he warned.

Hypponen said F-secure had notified the FBI and internet service providers who run the addresses listed in the worm and said some of the companies have agreed to temporarily block access to those machines. The target machines are based in Canada, USA and South Korea.

Unreachable address

At 1750 GMT, New Scientist ascertained that all but one of the 20 addresses were inaccessible. The 19 unreachable addresses may have been blocked, or could always have been protected by a firewall.

The last open address is in Toronto, and is provided by the internet service provider Sympatico. Its spokesperson told New Scientist: “We are aware of the virus and are working with local law enforcement to identify the person behind the virus.”

A possible reason for deliberately leaving an address open might be to act as a “honey pot” – an address controlled by the authorities to observe the worm in action.

However, the latest analysis of SoBig.F has revealed that even if this attempt to block access to the 20 addresses is successful, more action may be needed. Infected machines are programmed to check twice a week at the same time for new list of servers to contact. This new list could be delivered via a new virus.

Home users

The existing list of 20 appears to list Windows PCs belonging to home users and connected to the internet via always-on, ADSL broadband connections, says Hypponen. “It is most likely that the party behind SoBig.F has broken into these computers and they are now being misused to be part of this attack.”

The worm’s previous variant, SoBig.E, downloaded a program that removed the virus itself to cover its tracks, and then tried to steal the user’s network and web passwords.

But the machines infected with SoBig.F will try to connect to port 8998 on one of the hijacked machines. They will transmit a secret 8-byte code, which will cause the hijacked machines to return a web link to a site from which the malicious code can be downloaded.

Attempts to discover this target link have so far been foiled, as the worm’s writer used a bogus URL. Experts believe that this link would be changed to the real one a few seconds before the deadline, too late for companies to block.