Published: March 11 2009, 10:54 PM
by Zarestel Ferrer

One piece of malware we’ve been monitoring since late last week is a new Conficker (AKA Downadup) variant.

This worm, detected as Win32/Conficker.C, is getting ready for April Fool’s Day on 1 April, although it definitely won’t be fooling around. On that day, Conficker.C will commence its attempt to generate 50,000 URLs daily and try to access (download or report back to) 500 of them. It is a clever strategy, but the security industry is certainly on the lookout.

The snippet of code below shows the malware’s date check:

This current variant, unlike its predecessors Conficker.A and Conficker.B, may not light a fire under your intrusion detection systems because it has lost some of its former spreading functionality. However, Conficker.C does include a new behavior – the ability to terminate tools used to monitor and remove Conficker from affected systems. For example, as illustrated below, it can terminate Process Explorer among others:

Please stay informed and aware of this new malware. You can find a full behavioral analysis for Win32/Conficker.C in our encyclopedia:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

CA ISBU is monitoring this threat and will publish reports on information gathered as we receive and process it.

Share this post:  Email

Share