Sophos experts have advised network and system administrators that they can take immediate action to prevent the W32/Sobig-F worm from downloading a potentially malicious update from the internet.

The worm contains a list of encrypted IP addresses inside its code, which the Sobig-F infected computers use to signal their availabilty for an update. Infected computers will communicate with the IP addresses on UDP port 8998. They will also be listening on UDP ports 995-999 - perhaps in readiness for the updates to arrive.
The list ip IP's is here