A week after the Conficker.C (Worm) update algorithm became active, infected machines updated themselves to Conficker.E. However, the update came through Peer-to-Peer channels, not through the web control domains!
The new variant is an executable EXE file unlike previous variants that were DLLs. It's also known as WORM_DOWNAD.E (Trend), W32.Downadup.E (Symantec). The new variant has following characteristics:
- Spreads by exploiting MS08-067 vulnerability, infecting USB devices, and via weak network shares.
- It has a self-destruct trigger set for May 3, 2009 when it will deactivate and remove itself.
- It attempts to connect to the following domains to determine the victim machine's IP address:
- It also attempts to connect to the following web sites:
- It listens on TCP port 5453 and broadcasts the service by sending SSDP discover requests.
- It does not generate 50,000 domains per day unlike previous variant. In fact, it doesn't appear to contact any of the control domains via HTTP. It can still be controlled via P2P.
- It deletes the original dropped file and removes any file system/registry traces from the infected machine.
The infected machines were also instructed via Conficker P2P network to:
- Download hxxp://goodnewsdigitalXXXX.com/XXXX.exe, which is an encrypted copy of a Waledac Trojan. SonicWALL GAV detects the Trojan as GAV: Suspicious#waledac.10 (Worm) and the drive-by site component as GAV: Waledac#html (Trojan). More information related to Waledac Trojan could be found in our SonicAlerts archive.
- Download rogue antivirus program - Spyware Protect 2009 from spy-protect-2009XX.com, spywrprotect-2009XX.com, or spywareprotector-2009XX.com. The software finds non-existent threats and offers to remove them for $49.95. SonicWALL GAV detects this rogue anti-virus program as GAV: SpywareProtect2009_3 (Trojan).
SonicWALL UTM research team is monitoring the situation and releasing GAV signatures for Conficker variants as soon as they are discovered. SonicWALL Gateway AntiVirus provides protection against Conficker.E with GAV: Conficker.E (Worm) signature.
Below is the screenshot of the Rogue AV site that was still active at the time of writing this article:
There are over 3 million computers infected with Conficker worm variants. Below are the hits on our generic signature: