Conficker worm continues to rampage

9 Apr 2009

The Conficker virus – otherwise known as the W32.Downadup worm – continues to be active and may actually be linked to one of the most active spambots on the planet.

Symantec Security Response has observed that the W32.Downadup worm continues to be active, and has warned businesses to continue to be cautious.

“On April 8, 2009 we discovered a new sample that is a slightly modified version of the original W32.Downadup worm. The worm previously updated its functionality with the .C variant, which installed on top of the .B variant infections, and we are now seeing the same type of update happening on top of the .A variant infections,” Symantec said in a warning note.

The security software leader said the new sample reintroduces the MS08-067 exploit vector, which was removed in the .C variant. It includes previously unseen self-removal functionality to remove itself from the infected host on May 3, 2009.

The new sample includes a slightly different list of URLs used to obtain the IP address of the infected host, and also reaches out to a new list of high-profile domains to confirm the current date. When reaching out to these domains, the threat is not exploiting any weakness, nor downloading any code.

“We have also observed a possible connection to W32.Waledac, one of the most active spam bots, and have some circumstantial evidence that the two may be linked with W32.Downadup.C distributing W32.Waledac. W32.Waledac steals sensitive information, turns computers into spam zombies and establishes a back door remote access.”

Symantec said  this new sample does not appear to include any new infection vectors that might allow the threat to spread faster or onto new machines.

“Symantec Security Response continues to remind users not to be alarmed, but to continue to exercise caution and implement security best practices into their daily routines. These best practices include keeping security patches current, keeping antivirus definitions up to date and being cautious when visiting suspicious websites or opening unexpected emails and email attachments,” the company said.

By John Kennedy

Pictured: Conficker in action