4 Replies Latest reply on Apr 10, 2009 8:43 AM by HarryWaldron

    Conficker.E - P2P Updates Have Started for new variant

      Trend is calling the latest variant Conficker "E". As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating.

      Conficker.E - P2P Updates Have Started for new variant
      http://blogs.zdnet.com/BTL/?p=16082
      http://isc.sans.org/diary.html?storyid=6157
      http://news.cnet.com/8301-1009_3-10215678-83.html

      QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.

      Conficker.E - Trend Micro Information
      http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
      http://blog.trendmicro.com/a-look-inside-conficker-p2p-traffic/

      Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

      -- (Un)Trigger Date – May 3, 2009, it will stop running
      -- Runs in random file name and random service name
      -- Deletes this dropped component afterwards
      -- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
      -- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
      -- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com
      -- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc