Conficker Worm Arms Itself To Steal And Spam

The new variant, designated Conficker.E, is arriving through the worm's P2P connectivity.
The new variant, designated Conficker.E, restores the use of the MS08-67 exploit, which was removed in the previous .C variant. It also includes new self-removal instructions that tell the worm to remove itself from an infected host on May 3. And it includes a slightly different list of Web sites from which to seek instructions.

Weafer said the update is arriving through the worm's peer-to-peer connectivity. It looks for the old .A variant and updates it with the improvements seen in version .C, which include better HTTP and P2P code, stronger defense mechanisms, and advanced anti-forensic techniques.

It also drops a binary that's part of the Waledac spam malware. "Waledac is about stealing your confidential information and putting back doors on your system," said Weafer.

Weafer said that because P2P updating is slow compared with other methods, it may be several days before the impact of Conficker's changes become apparent.

As computer security firms assess the risk posed by the Conficker/Downadup worm, the Department of Homeland Security has released a DHS-developed detection tool to help organizations scan for computers infected by the worm.

The DHS US-CERT team created worm-scanning software for federal and state government agencies, commercial vendors, and critical infrastructure owners. It's being made available through the Government Forum of Incident Response and Security Teams Portal and to private-sector partners through various Information Sharing and Analysis Centers.

2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.

This story was edited on April 9 to clarify statements made by Symantec.