(2 of 4)
Of the handful that remain, some probably began with innocent intentions. Welchia, also called Nachi, was initially taken for a good worm because it was apparently designed to clean up the cause of the previous week's headlining worm, Blaster. Welchia was like an overly helpful relative who thinks he knows how to handle the plumbing. Once inside a system, it automatically downloaded and installed a Blaster fix from Microsoft's website. But if too many PCs on the same network were trying to do this at once, especially at large corporations, the amount of traffic brought down the network. "Virus writers don't do quality assurance," says David Perry, director of education at Tokyo-based Internet-security firm Trend Micro. "A lot of viruses cause more damage by being poorly written than anything else."
In the case of a well-constructed worm like Sobig.F, no damage is done to the PCs. The network suffers; your hard drive doesn't. On the face of it, Sobig.F's aim is merely that of every species on Earth: to make as many copies of itself as possible. There are five mutations of the basic Sobig worm, apparently tweaked by the same author since its January debut. The one that won the evolutionary lottery is variation Sobig.F, which works so well because it grabs anything that looks like an e-mail address on your hard drive and secretly emails itself to all of them, using one of the addresses to pose as a friendly sender.
Then comes the twist. Running on a built-in timer, Sobig.F was due to instruct infected computers to contact 20 Internet servers worldwide--themselves probably infected with a back-door virus--that Sobig's author could use as a drop box, leaving nefarious new instructions for his worm there. Investigators succeeded in taking 19 of the computers off-line before that could happen, and the 20th simply directed users to a run-of-the-mill sex site. Either Sobig.F was not intended to cause damage beyond all the disruption, or its author was feeling the heat of the law and worried about leaving a trail, even though virus writers are notoriously difficult to track down because they work through so many layers of infected machines and fake user accounts.
The rise of Sobig.F illustrates how easily a determined fiend--even a terrorist--could sow mayhem. Picture a future Sobig using millions of infected machines to hack into the servers of a major bank. "The virus-writer world and the hacker world have come together," says Vincent Weafer, senior director at Symantec Security Response. "They don't care who you are. Your machine is an asset to them." In the past, hacker groups have been able to make tens of thousands of compromised PCs take part in denial-of-service attacks--bringing a website down by repeatedly requesting its home page, tying up all traffic on it. The Blaster worm, which declared its enemy to be "billy gates," pointed some 400,000 host PCs to Microsoft's windowsupdate.com at the same time on the same day. But Microsoft dodged that bullet: its Windows Update service had moved to a new address, microsoft.windowsupdate.com and shut down the old one.