The Sobig.F worm, which is estimated to have infected more than 100,000 computers and generated tens of millions of e-mails,
could have begun life disguised as a pornographic picture in a posting to a handful of Usenet newsgroups.
Easynews, a Phoenix-based provider of Usenet access, said it was served by the U.S. Federal Bureau of Investigation (FBI)
with a subpoena relating to an account on its service that had been used to post the worm to Usenet. Easynews said it released
customer records relating to the account to the FBI after receiving a copy of the subpoena on Friday morning.
Details of one posting made using the account were released by Easynews. It shows a posting on Monday August 18 at 3:46 pm
EDT to six newsgroups: alt.binaries.amp, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica
and alt.binaries.pictures.erotica.amateur.female.
The posting had the title "Nice, who has more of it? DSC-00465.jpeg" and contained a photo which, when clicked on, infected
the browser's computer with the worm, said Easynews.
The company said the account in question appears to have been created with a stolen credit card for the sole purpose of uploading
the virus to Usenet and was created a matter of minutes before the posting was made.
A search of Google's Usenet archive appears to back this up. It reveals a test posting carrying the same sender e-mail address
listed in the worm posting -- misiko@dot.com -- was made to the alt.alt.test newsgroup nine minutes before the posting detailed
by Easynews. That posting contained a short string of "1"s.
Realtime Communications, an Austin, Texas, Internet service provider which operates the dot.com domain, said the e-mail account
listed in the posting is a fictitious one.
"The domain dot.com has only three e-mail addresses, and the address misiko@dot.com has never existed," a spokesman said by
e-mail on Sunday. "It is trivial to put a fake e-mail address on a Usenet posting. In fact most people do this as a matter
of habit, to prevent their e-mail address being captured by a spammer."
Two news reports Sunday, on the Web sites of Canada's National Post and Ottawa Citizen, said investigators had discovered
the Usenet posting was made from a personal computer in British Columbia that had been infected by the virus.
Usenet is a vast distributed network made up of thousands of discussion groups, called newsgroups. It predates the World Wide
Web as an Internet application and subjects up for discussion on Usenet are as varied as the millions of people that use it.
Some bring together computer engineers working on modifications to the Linux operating system while others are concerned with,
for example, Eastern European culture, apartments for rent, astronomy, classic cars, political discussion and pornography.
NEWS
