Programmed to kill itself two months ago, Sobig is still alive and well and considered by at least one e-mail security company to be the third most active virus in cyberspace during November.
MessageLabs has reported that about 264,000 copies of Sobig were picked up by its virus-scanning servers, well below the virus’s peak earlier this year, but still surprising considering the reported September 10 self-shutdown, according to CNET.
The company told CNET Sobig F continues proliferating because of combined factors including successful efforts to keep it from doing even more damage and a lot of infected PCs set to wrong dates.
Sobig F was first spotted in mid-August, spread by e-mail, and disrupted corporate networks massively, while trying to take over computers in a planned denial-of-service round thwarted when compromised servers were taken offline. MessageLabs told CNET that that might have kept numerous copies of Sobig from terminating themselves.
"The plug was pulled on the target servers before the PCs that were infected by Sobig could download the final bit of code," principal information security analyst Paul Wood told CNET. “Once that file had been downloaded and the PC was at the final stage, they would have stopped propagating more copies of Sobig.F to avoid anyone spotting the fact that they'd already been compromised." Meaning, he said, infected computers still spread Sobig and don’t check dates.
The built-in self-termination means most PCs getting copies of the virus now “should not try to forward it on,” CNET said, but PCs set to incorrect dates may be the main cause of the virus’s longevity, especially on home computers whose tiny internal clock batteries have run down and not been replaced.
