Home Other Conficker.C. Target Discovery

Conficker.C. Target Discovery

by admin

A brief description of the new behavior of the virus was published here a few days earlier.
Late Wednesday, TrendMicro spotted a new modification of the Conficker.c worm called WORM_DOWNAD.E. The previous version of the worm uses p2p functionality to download an update that shows multiple windows with alerts about non-existent threats as well as annoying pop-ups until you agree to pay $49.95. Thus, the developers of the virus have finally discovered their goal: to profit.
Trend Micro threat researcher Paul Ferguson published a list of changes made by the update with some interesting facts.
First, Conficker will stop working on May 3, 2009. During installation, the virus uses a random file name and service name. Once installed, the virus deletes its previous version. It spreads via MS08-067 vulnerability (which was fixed by Microsoft, so updated systems won’t be infected) for systems with external ip addresses. If there is no internet connection, it tries to update via local network. It opens the 5554 port and starts broadcasting as an HTTP server, sending SSDP requests.
It also connects to myspace.com, msn.com, ebay.com, cnn.com, and aol.com.
And after launching it deletes all of its entries, including files, history, and registry keys.
Ferguson also noted a connection to the Waledac (another known virus) domain (goodnewsdigital.com), and an attempt to download an encrypted print.exe file.
In the last activity of the infected machines, you can observe new Waledac binaries being downloaded and false antivirus being installed.
Conficker.C. Target Discovery

You may also like