Conficker Active – Update April 9

This post was written by admin on April 9, 2009
Posted Under: Conficker, Free PC Security

Update May: Click here for Free Conficker Removal Tool for PC's and Networks

Conficker has become active and has been steadily downloading a new variant before removing traces of the original worm.

The Conficker worm is finally active, a new variant of Downad/Conficker called WORM_DOWNAD.E is spreading over the peer-to-peer between infected computers of the previous version of this now infamous worm and dropping a mystery payload on infected computers.

The software that is dropped onto computers is hiding behind a rootkit and appears to be a .sys component which is said to be heavily encrypted which will hinder the analysis.

It also installs malicious programs such as 'Spyware Protect 2009' which is a fake application that will add to users problems.

The screenshots show that this rogue has been renamed and alterations made to its design as the original was around 12/04/08

The worm attempts to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com to test for internet connectivity and then deletes all traces of itself on infected machines and is apparently ready to shut itself down on May 3rd.

This means that there will be no further replication of the worm but infected computers could still be remotely controlled as part of a huge 'bot network' via Downad.E and other worms that are downloaded but the purpose of this still remains unclear.

With the newly added propagation method, Conficker is known to communicate with servers that are associated with the Waledac family and the worm attempts to access a known Waledac domain and download another encrypted file.

The new component is being downloaded in a staggered manner and not as a stampede which means that sites that the infected machines visit will notice no disruption to their service.

Researchers have noticed a new file in the Windows Temp folder and a TCP response from a known Conficker P2P node hosted in Korea.

It would appear that the P2P communication method has been used to serve an update and is now up and running.

Researchers believe that what they are now seeing is a new component of Conficker and not a new variant.

April 1st was the 'trigger' date for the worm to become active, which it did, although very quietly and infected machines would have had their security programs disabled and also be unable to gain access to security websites.

Estimates are that it has infected between 3 million and 12 million computers worldwide.

To check for infection use either the visual test here at the Conficker Eye Chart or a site set up at the University of Bonn

The images below are what users would see using a clean machine that is not infected. Click images to go directly to the sites.