Sobig-F's attempts to download a mystery program to infected machines failed over the weekend. But experts are...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
not patting themselves on the back as they worry that the next variant of the worm, Sobig-G, may come sooner than expected.
"It may come early, as the worm writer's plan failed," said Mikko Hypponen, manager of antivirus research for F-Secure Corp., in Helsinki, Finland.
Sobig-F is programmed to download a program every Friday and Sunday, between 3 p.m. and 6 p.m. EDT, until Sept. 10. The worm is supposed to get a URL pointing to the program from one of 20 remote servers. Antivirus experts weren't able to ascertain what the downloaded program would do.
That may be moot at this point, because the 20 servers weren't accessible over the weekend. Eighteen were taken down by ISPs, Hypponen said. "It stands to reason that [if] we can't access them, then the worm wouldn't be able to either," he said.
ISPs were also filtering UDP port 8998 traffic over the weekend. The worm used that port to access the remote servers. Blocking it wasn't a huge issue because there are not a lot of legitimate uses for that port, Hypponen said.
It's not unusual for ISPs to filter certain kinds of traffic when threats are associated with them. For example, ISPs filtered port 135 traffic two weeks ago when Lovsan struck. They could only filter for a few days because companies had legitimate uses for that port, but it was enough to hamper the worm's progress.
In the case of port 8998, ISPs shouldn't have any problems filtering that port over the next couple of weeks.
FOR MORE INFORMATION: