Poplar Bluff company outs new computer worm

POPLAR BLUFF, Mo. -- Although one employee likened it to winning the lottery, workers at Semo.net won't be receiving any cash for their role in outing a new and previously undiscovered variant of a computer worm. But they did garner the satisfaction of working with the Federal Bureau of Investigation to thwart a public nuisance.

On May 9, Aaron Malone, the mail service administrator for the Poplar Bluff-based regional Internet provider, noticed that several users on the network appeared to be shipping spam to America Online users. After analyzing one of the machines, Malone found that it was sending out 150,000 spam e-mails per hour on its own.

The reason: an apparently malicious code called a zombie Trojan horse.

Hackers use these Trojan horses to hijack other users' connections so the spam can't be traced to its source. Malone and company quickly neutralized the problem by cutting off all traffic from the originating network.

They then isolated the Trojan horse to a single cantankerous file, which they found running on all infected machines. In doing so, they noticed that the file was not being picked up by any of their anti-virus or anti-spyware software. This led them to believe that their culprit had never before been fingered.

On May 10, the IT team contacted both Symantec, an information security company, and the FBI cybercrime unit, sending both disks containing the suspect file. By Wednesday, both had returned confirmation that Semo.net had discovered a new variant of the W32.Ranky worm.

Since receiving that confirmation, Semo.net's security and data systems administrator James Ramsey said, the company has sent their copy of the worm's code to McAfee and other national computer anti-virus companies. Ramsey said the worm's signature will be included on those companies' virus definition updates, helping to protect users worldwide.

"The Internet is so vast, it is very rare that a rural company like us finds something like this," Ramsey said.

He said that in all, Semo.net found 12 machines on its network infected by the worm.

Semo.net provides Internet service throughout Southeast Missouri and has a satellite office in Cape Girardeau.

trehagen@semissourian.com

335-6611, extension 137