It’s been in the news recently, and we’ve talked about it here in previous posts and newsletters. The Conficker worm came to life yesterday according to TrendLabs, Trend Micro’s blog. It apparently downloads a file from other infected machines via P2P, similar to how file and music sharing services like Limewire work. From the TrendLabs blog:
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:
- (Un)Trigger Date – May 3, 2009, it will stop running
- Runs in random file name and random service name
- Deletes this dropped component afterwards
- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
- Connects to the following sites:
- Myspace.com
- msn.com
- ebay.com
- cnn.com
- aol.com
It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.
Read more: DOWNAD/Conficker Watch: New Variant in The Mix? - http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/#ixzz0CBXDoaOb
Recent Comments