QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:
-- (Un)Trigger Date – May 3, 2009, it will stop running -- Runs in random file name and random service name -- Deletes this dropped component afterwards -- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs -- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request -- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com -- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc