There are several variants, and one of the worm's "features" is its capability to spread to other machines via a vulnerability in the Windows Server Service which allows remote code execution. A patch for this was released by Microsoft in October 2008. This patch will prevent the worm to further propagate. The worm also has other spreading mechanisms implemented, like proagation over Windows shares and through infected USB sticks.
A new "version" W32/Conficker.C is emerging fast. This version was first discovered in February 2009, and has a number of "improvements" implemented, evading countermeasures. Examples of some of the new functionality to W32/Conficker.C are:
An extensive "call home" functionality for connecting to a "Command and Control server" (a command center used to manage the installed worms) for updates and changed payload. More than 50 000 new URLs are generated each day. This is making the "URL blocking" approach for stopping the worm much more challenging. It appears in many variants (polymorph). These variants are generated dynamically by applying polymorphic encryption and compressing algorithms. The worm disables antivirus and antispyware functionality as well as security services and "forensic/system tools" like filemon, regmon, wireshark etc.
How does Norman detect and protect: New signatures for new variants of the worm are added "on the fly" to protect against new variants. DNA Matching signature protection from several versions is included in Norman's antivirus products.
This worm was first detected by Norman antivirus products November 27th 2008. Later variants have been continuously added.
To remove the worm and its malicious components completely, it is recommended to use Norman Malware Cleaner. Updates that fix the vulnerabilities are available from Windows automatic update mechanism for systems that support this. Alternatively, one may download updates from http://windowsupdate.microsoft.com.
Norman advices all affected users to download the security updates as soon as possible, to be protected from potential exploits.
To read more about W32/Conficker go to http://www.norman.com/Virus/Virus_descriptions/54793/
For further information, please contact:
Are Fllesdal Tjnn, CTO, +47 415 39 750 Snorre Fagerland, Senior Virus Analyst, +47 415 39 755 Audun Ldemel, VP Marketing and Business Development, +47 934 46 531
About Norman Norman ASA, founded in Oslo Norway in 1984 is a world leader and pioneer in proactive content security solutions and forensics malware tools. Norman offers malware analyzers, network security and endpoint protection solutions to meet customer's security needs. Norman solutions are available through Norman subsidiaries and a network of partners around the world. www.norman.com