Time Warner Telecom may be next Sobig.F target

PARIS - Romanian researchers claim to have discovered a variant of the Sobig.F virus that looks to mail and domain name servers at Time Warner Telecom Inc. for information about how to modify its behavior.

The first Sobig.F virus contained an encrypted list of the IP (Internet Protocol) addresses of 20 servers. At a predetermined time it would contact each server in turn until one responded with the URL (Uniform Resource Locator) of a file it would then attempt to download and execute.

Last week, antivirus software developers and network operators raced to identify and shut down the 20 servers, before the machines could issue instructions to the virus.

Now it seems the goalposts may have been moved, as a variant of the virus, containing a different list of servers to contact, is circulating.

The new Sobig.F variant contains an encrypted list of the names of seven servers operated by Time Warner Telecom (TWT), according to researchers at Softwin SRL, an antivirus software company in Bucharest, Romania.

Two of the servers are SMTP (Simple Mail Transfer Protocol) servers that the virus uses to send out more copies of itself in infected e-mail messages, according to Mihai Chiriac, who works on Softwin's BitDefender antivirus software. The virus tries to contact the other five -- apparently domain name servers -- on port 8998 to ask for the URL of a file to download and execute.

"When the virus tried to access the servers on that particular port, the servers did not respond because that port was closed. But this may mean that some time from now, that port may be opened. We have to look at every possibility," Chiriac said.

Chiriac found the decrypted domain names stored in his computer's memory while he was analyzing the behavior of the Sobig.F virus. Softwin has received at least three messages containing the variant, which had apparently been sent to the company randomly by the virus, and not deliberately by a human being, he said. He has not yet determined what triggers the virus to contact the TWT servers.

A TWT spokesman was not immediately able to comment on the matter.

Staff at another antivirus software company, MessageLabs Ltd. of Gloucester, England, had not yet encountered the variant, but found it intriguing that the virus might update itself using a list of domain names, rather than a list of IP addresses.

"It's interesting because it means they can update the addresses externally by manipulating the DNS," said MessageLabs Chief Information Security Analyst Paul Wood.

In this way, the target of the virus can be changed without the virus itself needing to be updated, he said.

According to BitDefender's Chiriac, the variant Sobig.F is detected by antivirus software in the same way as the original Sobig.F, only the data segment of the virus is different, he said.