But regardless of Sobig-F and the other viruses active last month, September was fairly quiet in the malicious code world. And after August went down in history as the month with the most virus damage, September gave IT managers and anti-virus experts time to regroup and prepare for the next onslaught.
''With August, we had Blaster and Sobig and Nachi,'' says Steven Sundermeier, a vice president with anti-virus company Central Command, Inc., based in Medina, Ohio. ''September gave everyone a chance to catch up. We're all trying to gear up for the next big virus, whether it's the next Sobig or the Son of Blaster. We're absolutely gearing up for the next big outbreak, and September let us do that.''
Two separate anti-virus companies ranked the latest Sobig variant in their infamous lists of the most malicious viruses in the wild.
Central Command put Sobig-F in its Number One spot, noting that accounted for 67.5 percent of all virus attacks last month even though it was only active until Sep. 10. Sophos, Inc., an anti-virus vendor based in Lynnfield, Mass., put Sobig-F in its fourth spot, behind Gibe-F, Dumaru-A and Mimail-A.
''This shows how powerful Sobig-F was,'' says Sundermeier. ''In just the first 10 days of September it accumulated all of these attacks. If it hadn't been deactivated on Sep. 10, you'd see that 67 percent looking more like 80 percent to 90 percent.''
Sobig-F is a mass-mailing worm that also can spread via network shares. Security analysts speculate that the virus caused so much damage because the whole string of Sobig viruses were designed to build on the inroads made by the previous variant. Sobig-E, for example, wormed its way into millions of computers and then left those doors open. Sobig-F went through those already open doors and then went from there.
The author of Sobig-F, designed it so it would die out on Sep. 10. That is leading many security analysts to believe that the next variant in the Sobig family will soon be on its way. And if it builds on the malicious success of Sobig-F, analysts say the damage could be even worse.
The Gibe-C worm, also known as Swen, also caused its share of trouble last month.
Central Command ranked it in second place, noting that Gibe-C accounted for 8.6 percent of all virus attacks last month. Sophos, however, gave the virus its top malicious spot, saying they recorded that it accounted for 23.5 percent of all attacks.
Gibe-C played on computer users' fears by disguising itself as a cumulative security patch sent out by Microsoft. The email closely mirrored Microsoft's site and tricked people into downloading another virus.
While Gibe caused some mayhem, many security analysts have been expecting a huge hit. The next variant of Sobig was widely believed to be coming around the 9/11 anniversary. The next Blaster, often referred to as the Son of Blaster, has been lurking just off center stage. But they didn't hit last month.
Some analysts are wondering if virus writers are lying low, waiting for the crush of attention -- both from IT managers moving quickly to patch their systems, and law enforcement moving to quickly lock up and prosecute malicious authors -- to pass.
''My gut tells me they've kind of gone underground for a time,'' says Dan Woolley, a vice president with Computer Associates. ''The guys out there writing bad code have a lot of heat on them and they've gone underground a little. Maybe they'll stay low till Christmas or the new year. This is just my gut feeling.''
''That may very well be,'' he says. ''Word is getting out that charges will be brought.'' But Sundermeier doesn't think the virus writers will be laying low for long.