Close Call - the Sobig.F activation was prevented F-Secure helped to shut down servers needed by the attack Helsinki, Finland - August 23, 2003 The expected Internet activation of the Sobig.F worm has been prevented. The activation was programmed to take place on Friday the 22nd of August at 19:00 UTC. The activation was prevented through a 24-hour race against the clock by various organizations around the world. Everything started from the detailed analysis of the worm by the F-Secure research team, which found and decrypted the list of 20 Encrypted compromised server IP addresses from within the worm. Armed with the list of 20 IP addresses F-Secure, various internet service providers, CERT organizations from around the world, FBI and Microsoft were able to locate and disconnect or shut down most of the master servers necessary for the activation to be successful. Six hours before the deadline, 11 of them were disconnected from the Internet. Just before the activation, 18 of them were disconnected. One of the remaining servers was unreachable, perhaps turned off. One was still operating when the activation started, but it immediately became unreachable as tens of thousands of infected machines from around the world started sending traffic to it. F-Secure has been attempting to connect to all the 20 machines from three different sensors in three different countries to confirm that they are down. So far, we've been unable to connect even once. If we can't connect, neither can the infected machines - and the activation won't succeed. The worm will try to activate again at the same time on every following Friday and Sunday until the September 10th. However, most probably these attempts will not be successful either Sobig.F, which is currently the most widespread worm in the world, contains an encrypted list of 20 servers located in USA, Canada and South Korea. The worm tried to connect to these servers to download the address of another server from which the worm would have downloaded an unknown application. The application would have then been immediately executed on all the infected computers. More information about the Sobig.F worm and the attempted attack is available at http://www.F-Secure.com About F-Secure F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company's award-winning products include antivirus, file encryption and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North Amercan headquarters in San Jose, California, as well as offices in Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licening and distribution agreements, the company’s security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia and HP. For more information, please contact: Finland: F-Secure Corporation Mikko Hypponen, Director, Anti-Virus Research PL 24 FIN-00181 Helsinki Tel +358 9 2520 5513 Fax. +358 9 2520 5001 Email Mikko.Hypponen@F-Secure.com Media contact in the USA: F-Secure Inc. Heather Deem, 675 N. First Street, 5th Floor San Jose, CA 95112 Tel +1 408 350 2178 Fax +1 408 938 6701 Email Heather.Deem@F-Secure.com