Aug. 22 (Bloomberg) -- The next wave of the ``Sobig'' computer worm, the fastest spreading e-mail virus ever, so far has failed to unleash the new flood of messages that some security companies expected. The Federal Bureau of Investigation has begun a probe to find out who created the worm.

``Of the 20 servers identified to be used for the attack, 16 are down, four are not responding and one is responding and directing traffic to a porn site,'' Symantec Corp., the world's largest seller of anti-virus software, said in a statement.

Sobig, which has sent almost 100 million junk e-mails since its discovery this week, has infected networks of FedEx Corp., Starbucks Corp. and AOL Time Warner Inc., and the states of New Jersey, Pennsylvania and North Carolina.

The virus was expected to use infected computers to run a program with unknown consequences at 3 p.m. New York time, according to Mikko Hypponen, head of virus research at F-Secure Oyj. Sobig was supposed to connect to 20 server computers in the U.S. and Canada and prompt them to send a Web address to infected personal computers worldwide that would in turn retrieve a program from the address and run it.

Computer-security experts have been working since Monday to eradicate Sobig, which sends junk e-mails to home and business computers. Sobig has hit home users harder than corporations, most of which are able to afford the latest anti-virus software and to hire companies to fight the virus.

New York Times

The New York Times Co. said computers at its offices in New York City ``experienced difficulties'' shortly after noon today. The company, which said its newspaper will publish tomorrow, declined to comment on the scope of the computer malfunctions or to say for certain that Sobig was the cause.

Yesterday, the virus reached computers at National Public Radio. Employees have been told to avoid downloading material from Web-based e-mail programs, said Jenny Lawhorn, an NPR spokeswoman. NPR also has had difficulty keeping the Web site updated because of the worm, she said.

The New York Stock Exchange, which hasn't experienced any problems with Sobig, has prepared for any problems that may come from the worm later today, said spokesman Richard Adamonis. He wouldn't elaborate.

``We are restricting access to certain Web sites, such as Yahoo mail and Hotmail, and external sites like those where the virus might be found,'' said Melissa Fox, a spokeswoman for the Nasdaq Stock Market.

Nasdaq has gotten 64,000 spam e-mails sent to Nasdaq.com addresses carrying the virus that have been blocked by anti-virus software, Fox said.

Different Operators

F-Secure said it has cracked the code, allowing it to start looking for the 20 servers, and is working with the FBI and other government agencies to disconnect the machines from the Internet.

The servers are connected to different operators' networks, making it unlikely that all of them will be disconnected in time. So far, Internet service providers have confirmed that half of the computers have been disconnected, Hypponen said.

``Even one of them up and running at 8 p.m. (London time) will be enough,'' he said.

F-Secure discovered a ``new routine'' in the Sobig worm that may let it connect to another list of computers, Hypponen added. If that's the case, investigators may have been chasing the wrong servers, he said.

``It is certainly devious on the part of the creator,'' said Mark Sunner, chief technology officer of MessageLabs Inc., a New York-based computer-security company whose clients include the Federal Reserve.

FBI Probe

Analyzing the code will help the FBI catch the people behind Sobig, Murray said. The probe is being led by the FBI field office in New Haven, Connecticut, he said. Figuring out who started it will be difficult because the agency will have to find out where the virus originated, computer-security experts say.

``I can count the total number of virus writers who have been caught on my fingers,'' said Chris Belthoff, senior security analyst at Sophos Inc., a closely held computer-security company based in Lynnefield, Massachusetts.

Experts say computer users need to be careful about downloading e-mail attachments because of Sobig. Companies and individuals also need to make sure that their antiviral software is up to date before a new Sobig attack may begin.

``It's not something to be complacent about,'' said Ian Hameroff, security strategist at software maker Computer Associates International Inc. ``We could see slowdowns in traffic.''

Windows Users

So far, Sobig has been more of an annoyance than a threat.

``My biggest problem is that most of the mail sent overnight doesn't reach me because my mailbox reaches its limit while I sleep and bounces legitimate messages back to senders,'' said Jim Romenesko, who runs a media news website, in an e-mail yesterday. ``I've been deleting well over 1,000 of the Sobig emails daily.''

The worm affects computers running Microsoft's Windows operating system, which powers more than 90 percent of all PCs.

``All week, we've seen an incredibly high number of worms running on the Internet, and the filters that we have have been very busy,'' said Dave Johnson, a spokesman for AT&T Corp., which operates one of the biggest Internet networks.

Shares of Cupertino, California-based Symantec rose $1.52 to $54.74 at 4 p.m. New York time in Nasdaq trading. Rival Network Associates Inc. fell 7 cents to $13.18 on the NYSE. Computer Associates fell 15 cents to $25.

Last Updated: August 22, 2003 16:19 EDT