The Sobig.F worm, which is estimated to have infected more than 100,000 computers and generated tens of millions of emails, could have begun life disguised as a pornographic picture in a posting to a handful of Usenet newsgroups.
Easynews Inc., a Phoenix, Arizona, based provider of Usenet access, said it was served by the FBI with a subpoena relating to an account on its service that had been used to post the worm to Usenet.
Easynews said it released customer records relating to the account to the FBI after receiving a copy of the subpoena on Friday morning.
Details of one posting made using the account were released by Easynews. It showed a posting on Monday August 18 at 19:46 GMT (3:46pm EDT) to six newsgroups: alt.binaries.amp, alt.binaries.boneless, alt.binaries.nl, alt.binaries.pictures.chimera, alt.binaries.pictures.erotica and alt.binaries.pictures.erotica.amateur.female.
The posting had the title "Nice, who has more of it? DSC-00465.jpeg" and contained a photo which, when clicked on, infected the browser's computer with the worm, said Easynews.
The company said the account in question appeared to have been created with a stolen credit card for the sole purpose of uploading the virus to Usenet and was created a matter of minutes before the posting was made.
A search of Google's Usenet archive appears to back this up. It reveals a test posting carrying the same sender e-mail address listed in the worm posting - [email protected] - was made to the alt.alt.test newsgroup nine minutes before the posting detailed by Easynews. That posting contained a short string of "1"s.
Realtime Communications, an Austin, Texas, Internet service provider which operates the dot.com domain, said the e-mail account listed in the posting is a fictitious one.
"The domain dot.com has only three e-mail addresses, and the address [email protected] has never existed," a spokesman said by e-mail on Sunday. "It is trivial to put a fake e-mail address on a Usenet posting. In fact most people do this as a matter of habit, to prevent their e-mail address being captured by a spammer."
Two news reports Sunday, on the websites of Canada's National Post and Ottawa Citizen, said investigators had discovered the Usenet posting was made from a personal computer in British Columbia that had been infected by the virus.