According to The New York Times, there are several theories on what motivates the unidentified author of six viruses that have surfaced in the past eight months. SoBig was just the latest, and might not be the last: Experts believe a new virus might appear once SoBig expires on Sept. 10.
SoBig is transmitted as an attachment to an email. Once the attachment is opened, it directs the computer to send copies of the virus to email addresses used by the target computer.
That would make it ideal for getting around spam-blocking software used by many businesses, which can block email from a spam-sending Internet address but couldn't block millions of emails from separate individual accounts.
Joe Hartmann, director of an antivirus firm in Tokyo, told The Times: "If machines remain infected they could be used in any kind of attack. We don't think it's planned for a specific threat, rather its more likely a money-making spam scheme."
Experts interviewed by the newspaper said there were indications that the author or authors of SoBig had money and were connected to spammers.
The virus is multiplying at a slower rate now than last week, appearing in one in 50 emails as opposed to one in 17, according to the virus protection company MessageLabs. Users are advised not to open an attachment unless they are expecting one.
People get the SoBig virus when they click on attachments to e-mail carrying such subject lines as "Details," "Approved" and "Thank you!"
Mikko Hypponen, manager of antivirus research with F-Secure Corp. in Finland, said users should clean their computers using antivirus software — antivirus companies have issued free tools to do so — or turn off machines if they cannot run the disinfecting software.
Users with firewall programs can also block UDP port 8998, which is the Internet opening the virus uses to communicate.
A feared Internet attack resulting from the fast-spreading virus fizzled Friday, as security officials said they contained it by identifying and blocking computers key to coordinating it.
Instructions written into "SoBig" virus called for infected Windows machines to try to download a program that, until the attack began at 3 p.m. Friday, had an unknown function.
Experts feared the program could have deleted files, stolen passwords or created rogue e-mail servers for spreading junk e-mail.
But Vincent Weafer, security director with Symantec Security Response, said that when the appointed time came, all the virus did was visit a pornography site.
"There is nothing malicious, just a standard sex site," he said.
Friday's attack began with the virus attempting to reach one of at least 20 computers, mostly in the United States and Canada, to obtain information key to continuing.
Internet addresses written into the virus point to those computers being home machines connected through broadband services like cable or DSL, said Chris Rouland, vice president for research and development at Internet Security Systems Inc. It was unlikely the machines' owners knew that they were picked as accomplices, he said.
Antivirus experts identified those computers and persuaded service providers to shut Internet access to some of them.
Within minutes of the attack's beginning, researchers at Network Associates Inc., an antivirus software vendor, were unable to reach any of those computers, said Craig Schmugar, a virus research engineer.
SoBig resulted in e-mail disruptions at several businesses, universities and other institutions. SoBig did not physically damage computers, files or critical data, but it tied up computer and networking resources.
The SoBig outbreak came just one week after a virus known as "LovSan" and "Blaster" took advantage of a flaw in the Windows operating system to clog computer networks. The "Blaster" outbreak has started to subside, experts said.