Chicago (IL) – Late Wednesday, TrendMicro observed a new version of the Downad.KK/Conficker.c worm, dubbed Conficker.e. The previous version utilized its built-in P2P functionality to download the update, which then springs to life with fake or rogue antivirus messages warning of non-existent threats, along with annoying pop-ups until you agree to pay it $49.95. Conficker’s authors finally unveil their true intent: Greed.
Paul Ferguson at TrendMicro’s Threat Research division, posted a lengthy explanation of the update, along with some interesting factoids.
First, the Conficker worm will stop operating on May 3, 2009. It uses a random filename and random service name when installing. After installing, it deletes its dropped component. It propagates via MS08-067 (which Microsoft has fixed, so updated systems will not be affected) to external IP addresses if an Internet connection is available. If not, then it tries internal IP addresses on the LAN. It opens port 5114 and begins serving as an HTTP server by broadcasting SSDP requests.
It also connects with myspace.com, msn.com, ebay.com, cnn.com and aol.com. And after running, it deletes all records of itself, including all files, registries, histories, etc.
Ferguson also observed a connection to a known Waledac (another virus) domain (goodnewsdigital.com), which attempted to download an encrypted file print.exe. He is still determining if there is a Conficker-Waledac connection, though this download may be incidental.
UPDATED: April 12, 2009 – 06:58am CDT
It’s being reported by the Associated Press that more than 700 computers at Salt Lake City’s University of Utah have been infected, including computer systems at three hospitals. The IT staff shut off Internet access for six hours to isolate the spread of the virus, and materials on how to remove the infection have been sent to all students and staff. While the authorities warn the worm/virus may obtain login information, or even credit card information, no sensitive medical data was lost when the hospital’s computers were affected. According to spokesman Chris Nelson, “That’s secured in a much deeper way because of the implications”.