Conficker now definitely downloading updates
Trend Micro reports that the Conficker.C (or Downad) worm has now indeed begun to download updates – not, however, from the web sites that many have been watching, but through its peer-to-peer function. The experts say they stumbled on this while observing the Windows Temp folder and the network traffic on an infected system. In contrast to Conficker.A and .B, the .C version can establish a P2P network with other infected systems and use it to download further programs and receive commands. Trend Micro says this P2P operation is now going full blast.
In the case under investigation, the system fetched its encrypted update from a P2P node in Korea and installed it. That transformed the worm into the .E variant, which displays new characteristics. Among other things, it attempts to wipe all its tracks from a system by deleting previous registry entries and from then on using random file names and service names. The worm also opens port 5114 and listens out for connection requests with an inbuilt HTTP server. Finally, it connects up to the myspace.com, msn.com, ebay.com, cnn.com and aol.com domains to test whether it has a connection with the internet.
The worm is reported still to be spreading only through the Windows security vulnerability. BitDefender says the new variant is blocking access not only to BitDefender's antivirus web sites, but also to recently announced sites offering tools to remove previous versions of the Conficker worm, including BitDefender's tool page (http://bdtools.net) and internet sites of other providers.
Analyses reportedly show that the latest version of Downad/Conficker will disable itself on 3 May 2009. Whether it will collect a new update before then is unclear. Virus specialists have also observed occasional connections to domains associated with the Waledac botnet. Symantec has made similar observations. One file downloaded by Conficker (484528750.exe) is said to have contained the Waledac bot. So far, however, neither Trend Micro not Symantec wishes to say any more about the connection between Conficker and Waledac.
An overview page giving the main information about the Conficker Windows worm is available at The H, giving links to tests that can diagnose an infection, including a simplified test by The H and heise Security. It also lists cleaning tools and network scanners and summarises The H's most important news reports about Conficker, beginning with the report for the Microsoft Patch Tuesday on which the security vulnerability used by Conficker first became known.