A Finnish computer security expert said Friday that investigators had won a race against the clock and averted a second round of mayhem programmed into the Sobig.F virus, but others tracking the online malady said they weren’t so sure. As investigators raced the clock, the FBI subpoenaed an Arizona Internet service provider to trace the culprit behind the fastest-spreading computer virus ever, which security experts said may have first been posted to a pornographic Usenet group.
***
THE FRANTIC CHASE began late Thursday, when virus experts analyzing the programming of Sobig.F discovered coding instructing infected machines to attempt to connect with one of 20 computers between 3 p.m. and 6 p.m. ET Friday and again during the same time period on Sunday and download a software program.
The 20 computers apparently were picked at random for use in distributing a second phase of the attack.
Security experts said they had no idea what the program might do, but they feared that it could “corrupt data, damage machines or launch a widely distributed attack against a Web site,” according to Chris Belthoff, a senior security analyst with the antivirus firm Sophos.
Mikko Hyppönen, head of antivirus research at the Finland-based firm F-Secure, who said he worked with the FBI and Microsoft Corp. to locate the 20 computers and ensure that they were disconnected before the deadline, told MSNBC.com that the task had been completed with just over an hour to spare.


***

From the same MSNBC source... Sorry, I usually won't cut and paste that much but linking to news stories sometimes doesn't work, an this is such a fascinating read.
[Message Edited]

I vote the culprit gets as many man-hours of jail as he has cost the world community in lost productivity dealing with it....my guess is he'll be a few hundred years beyond his use-by date...

Well, with re-mailers, spoofing, secure tunnels, off shore servers and all the extra not mentioned. Finding the person who did the actually deed might just about be impossible excluding the fact that they are idiots so they probably didn't cover their tracks as well as they think they have.

They did make a point without giving them any credit of course it is an obvious point so I guess they reconfirmed it in the largest manner " Microsoft needs to hammer it's software and patch's hard a furious before releasing them, we are NOT part of a paying for the privilege to be on their un-witting Beta Team "...

But it isn't just MS that needs to do this it is also software companies in general if they deal with directly accessing networks.

IPv6 has a good chance at helping control some of the nefarious junk cracking. But hacking the OS that everything is built to interface with is one of the key places to demand better controls be put into place which is why I mention MS.

anyway...

more from that article:

The virus apparently was disguised so that anyone who clicked on a link purporting to show a sexually graphic picture became infected with the self-replicating worm, which then spread itself to other e-mail addresses.
Internet service provider Easynews.com of Phoenix said in a statement that the FBI contacted it Thursday, alleging that someone had used its Usenet server to upload the picture on Aug. 18. Easynews said it refused to provide any information until a faxed subpoena arrived from the FBI on Friday.
The header of the original message presents the sender’s address as Misiko @ dot.com. It was posted to six newsgroups, the names of some of which suggested they featured pornographic images. Easynews’ technology director, Michael Minor, said it appeared that the culprit used a stolen credit card to create the account from which the virus was posted.
^^^
Header information from the original Usenet message suspected of carrying the Sobig.F virus:
Path: news.easynews.com!core-easynews!newsfeed1.easynews.com!easynews.com!easynews!easynews-local!news.easynews.com.POSTED!not-for-mail From: Misiko Newsgroups: alt.binaries.amp, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica, alt.binaries.pictures.erotica.amateur.female Subject: Nice, who has more of it? DSC-00465.jpeg Message-ID: Organization: Misiko X-Newsreader: MicroPlanet Gravity v2.50 Lines: 2815 X-Complaints-To: abuse @ easynews.com X-Complaints-Info: Please be sure to forward a copy of ALL headers otherwise we will be unable to process your complaint properly. Date: Mon, 18 Aug 2003 19:46:19 GMT Xref: core-easynews alt.binaries.amp:2476089 alt.binaries.boneless:29017892 alt.binaries.nl:32597838 alt.binaries.pictures.chimera:2199579 alt.binaries.pictures.erotica:10555867 alt.binaries.pictures.erotica.amateur.female:3953364 X-Received-Date: Mon, 18 Aug 2003 12:45:13 MST (news.easynews.com)

goodmorphing thinks this must not be much information at all since they haven't caught the guy.
[Message Edited]

no, it is some information but nothing really if the person has half a clue how to avoid them finding them.

Fake ID, Internet Café, re-routing, re-mailers, spoofing, stolen NTTP account(NewsGroup ISP account) and a floppy disk is all it takes, from anywhere in the world...

It is nothing more than a point of reference for them to start at as far as the point of exposure to the net for the most part...

Oh by the way, things got all screwy over time but historically...

you Crack a servers, computer, network
you Phreak a phone system
you Hack a program

odd how things get all changed around and no one notices....

im running pretty much the same as IPlural and have had no problems there are symantec scanners for the two newest viruses/worms on downloads.com they scan and remove and traces of these virues here r the links hope it can help!!!!!

this 1 is for W32.Sobig.F@mm: http://download.com.com/3000-2092-10221650.html



and this 1 is for W32.Blaster.Worm: http://download.com.com/3000-2092-10219756.html


the W32.Sobig.F@mm virus is the emailing everyone.. i hope i could be of a help

I am a way from my home for a weekend with my laptop and I have open Outlook Express this morning to check my e-mails...you won’t believe what I have found, 3.685 e-mails from this damn W32/Sobig worm in less than one day!!!!!!
It was impossible to use my e-mail any more; it would take me one day to open them all with my 800 MHZ laptop!
It is the first time in my "computer" life that I am having a problem with a virus who can’t touch me, but really makes my life difficult!

It is very easy to recognize this worm, but it is really impossible to kill those e-mails in the provider’s server, before they come to your e-mail in-box, it could take for ever waiting the Norton or other Antivirus software to kill the viruses.
It is a huge wasting of time!

But now, after reading all the previous posts, I have found the solution!

Mailwasher has saved my "digital" life from this specific damn worm!!!!
it is free and you can get it from this link: http://www.mailwasher.net/download.php

Thanks everybody!

cool adni18! not cool you got hit but cool you found something that fixed you up

Yes...mailwasher must be doing something for me, since so far I've 'only' had about 20 or 30 of the emails....in total...

from MSN news:

FBI agents have subpoenaed an Arizona company for clues to the origins of a fast-spreading computer virus that slowed e-mail systems worldwide this week and threatened to launch an attack that was averted. The virus is programmed to try another attack Sunday, but experts say the attack has already been blocked.

THE VIRUS, the “F” variant of “Sobig,” contained instructions to launch an attack Friday afternoon, but experts were able to identify and block most of the key computers needed as accomplices.

Sobig was programmed to try again Sunday, “but I think it’s really mitigated,” said Chris Rouland, vice president for research and development at Internet Security Systems Inc. “All the network operators are aware they need to block these (Internet addresses) now.”

Thats really neat that Mail Washer altho Pro version may come in handy, cheers.

I have started to format my computer and I am making a new clean install, so do not search for me, I will come sometimes with my laptop and I will reinstall my main machine in same time.

Too many things happend on my pc recently to not do something, I could not uninstall Norton, it would not let me and some other things too

awwwwwwwwwwwwwwwwwwwww I am sorry Alexandrie. I hope you did not lose much data.

These dang viri writers ..... I hate them. They are nothing more than terrorists.

#87

I have done this too Alexandrie, two days ago I have format and reinstall everything!!!

It took me one day to do all those installations!

But this was the last time, now I have a drive copy, which means that if I see something strange happening in my computer, I can replace the C drive in less than some minutes with a fresh copy of everything I am using, system, drivers, software, everything will be like it was 2 days ago, fresh and fast!

System restore doesn't work all the times and it is not the same.

Norton Ghost is too complicated for me to use it.

Acronis is the best, nice and friendly interface and only 2 step procedure!!! One to back-up everything and one to restore everything! Though it is not free

Interesting? Here is the link of Acronis: http://www.acronis.com/products/trueimage/

Take care everyone!

Hey guys kona feels your pain. My little Dell laptop is feeling better. I just got rid of that stupid Sobig F virus. Thanks to Norton!

But next time, I am reinstalling with 98/Linux!