30 March 2009, 14:55

Conficker worm reloads - maybe

On the 1st of April, Conficker.C will start searching the web for updates. However an "outbreak of the computer virus" isn't to be expected, much less a new wave of viruses, as reported by some of the media. Some Windows PCs that have already been infected will activate Conficker's update routine – and that's all.

Anti-virus experts estimate that several million PCs around the world are now infected with Conficker. Conficker.C is only one of the three known versions of the worm, the most widespread being Conficker.B. It has already been trying to download updates for some time from the new domains that it has been creating (at the rate of 250 a day). An operation led by Microsoft and ICANN has identified the algorithm being used and these domains are either being monitoring or blocked.

By way of a riposte, the authors of the worm have further raised the ante with Conficker.C by vastly increasing the rate to 50,000 new domains every day. The worm randomly accesses 500 of these to check whether an update is available. Although this algorithm too has already been cracked, registering 50,000 domains every day is beyond the capacities of the anti-Conficker activists.

A question that naturally arises is, what will Conficker.C find on the servers? The honest answer is, no one knows, but there are some indications that nothing at all will happen on the 1st of April. The anti-virus experts at F-Secure, for instance, point out in their FAQs that any planned update could just as well happen on the 5th of April, when everyone's guard has dropped again. What an update could do then is at present, a matter of pure speculation.

The services pages at The H Security are packed with information about dealing with viruses, worms and taking measures to protect against infections. Several sources also now offering special tools to remove the different varieties of the Conficker worm.

(Ju)

See also: