Conficker.S. Goal discovery

Original author: Rick C. Hodgin
  • Transfer
A brief description of the new behavior of the virus was published here a few days earlier.

At the end of Wednesday, TrendMicro noticed a new modification of the Conficker.c worm, called WORM_DOWNAD.E. The previous version of the worm uses p2p functionality to download an update that shows many windows with alerts about non-existent threats, as well as annoying pop-ups until you agree to pay $ 49.95. Thus, the virus developers finally discovered their goal: profit.

Trend Micro Threat Research Specialist Paul Ferguson has posted a list of changes made by the update that contain some interesting facts.

Firstly, Conficker will be shut down on May 3, 2009. During installation, the virus uses a random file name and service name. After installation, the virus removes its previous version. It is distributed through the MS08-067 vulnerability (which was fixed by Microsoft, so that the updated systems will not be infected) for systems with external ip addresses. If there is no Internet connection, then it tries to update through the local network. He opens port 5554 and starts broadcasting as an HTTP server, sending SSDP requests.

It also connects to myspace.com, msn.com, ebay.com, cnn.com and aol.com.
And after launch, it deletes all entries about itself, including files, history, and registry keys.

Ferguson also noted a connection to the Waledac (another known virus) domain (goodnewsdigital.com), and an attempt to download the encrypted print.exe file.

In the latest activity of virus-infected machines, you can watch the download of new Waledac binaries and the installation of a false antivirus.

Screenshot of a false antivirus

Also popular now: