Sobig.F worm could have originated on Usenet

The Sobig.F worm, which is estimated to have infected more than 100,000 computers and generated tens of millions of e-mails, could have begun life disguised as a pornographic picture in a posting to a handful of Usenet newsgroups.

Easynews, a Phoenix-based provider of Usenet access, said it was served by the U.S. Federal Bureau of Investigation (FBI) with a subpoena relating to an account on its service that had been used to post the worm to Usenet. Easynews said it released customer records relating to the account to the FBI after receiving a copy of the subpoena on Friday morning.

Details of one posting made using the account were released by Easynews. It shows a posting on Monday August 18 at 3:46 pm EDT to six newsgroups: alt.binaries.amp, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica and alt.binaries.pictures.erotica.amateur.female.

The posting had the title "Nice, who has more of it? DSC-00465.jpeg" and contained a photo which, when clicked on, infected the browser's computer with the worm, said Easynews.

The Sobig worm used Windows PIF (program information) files to spread on the Internet. However, it is unclear what kind of file the virus author used to launch the virus in its initial seeding.

The company said the account in question appears to have been created with a stolen credit card for the sole purpose of uploading the virus to Usenet and was created a matter of minutes before the posting was made.

A search of Google's Usenet archive appears to back this up. It reveals a test posting carrying the same sender e-mail address listed in the worm posting -- misiko@dot.com -- was made to the alt.alt.test newsgroup nine minutes before the posting detailed by Easynews. That posting contained a short string of "1"s.

Realtime Communications, an Austin, Texas, Internet service provider which operates the dot.com domain, said the e-mail account listed in the posting is a fictitious one.

"The domain dot.com has only three e-mail addresses, and the address misiko@dot.com has never existed," a spokesman said by e-mail on Sunday. "It is trivial to put a fake e-mail address on a Usenet posting. In fact most people do this as a matter of habit, to prevent their e-mail address being captured by a spammer."

Two news reports Sunday, on the Web sites of Canada's National Post and Ottawa Citizen, said investigators had discovered the Usenet posting was made from a personal computer in British Columbia that had been infected by the virus.

Usenet is a vast distributed network made up of thousands of discussion groups, called newsgroups. It predates the World Wide Web as an Internet application and subjects up for discussion on Usenet are as varied as the millions of people that use it. Some bring together computer engineers working on modifications to the Linux operating system while others are concerned with, for example, Eastern European culture, apartments for rent, astronomy, classic cars, political discussion and pornography.