The first Sobig.F virus contained an encrypted list of the IP (Internet Protocol) addresses of 20 servers. At a predetermined time it would contact each server in turn until one responded with the URL of a file it would then attempt to download and execute.
Last week, antivirus software developers and network operators raced to identify and shut down the 20 servers, before the machines could issue instructions to the virus. Now it seems the goalposts may have been moved, with a variant of the virus, containing a different list of servers to contact, is circulating.
The latest Sobig.F variant contains an encrypted list of the names of seven servers operated by Time Warner Telecom (TWT), according to researchers at Softwin SRL, an antivirus software company in Romania.
Two of the servers are SMTP (Simple Mail Transfer Protocol) servers that the virus uses to send out more copies of itself in infected e-mail messages, according to Mihai Chiriac, who works on Softwin's BitDefender antivirus software.
The virus tries to contact the other five - apparently domain name servers - on port 8998 to ask for the URL of a file to download and execute.
"When the virus tried to access the servers on that particular port, the servers did not respond because that port was closed. But some time from now, that port may be opened. We have to look at every possibility," Chiriac said.
Chiriac found the decrypted domain names stored in his computer's memory while he was analysing the behaviour of the Sobig.F virus. Softwin has received at least three messages containing the variant, which had, apparently, been randomly sent to the company, he said. The mechanism that triggers the virus to contact the TWT servers has not yet been determined.
A TWT spokesman was unable comment on the matter.
MessageLabs, the UK-based managed e-mail and security provider, has not yet encountered the variant, but chief information security analyst Paul Wood thought it potentially significant that the virus might update itself using a list of domain names, rather than a list of IP addresses.
"It's interesting because it means they can update the addresses externally by manipulating the DNS," he said.
In this way, the target of the virus can be changed without the virus itself needing to be updated, he added.
According to Chiriac, the variant Sobig.F is detected by antivirus software in the same way as the original Sobig.F. Only the data segment of the virus is different, he said.
Peter Sayer writes for IDG News Service