Thu, 04/30/2009 - 21:15 — Igor Donchenko
Trend Micro discovered a new file sourced by a known Conficker P2P IP node - a new variant of Conficker now known as WORM_DOWNAD.E, indicating that cybercriminals behind the notorious Conficker worm may finally be gearing up for more serious attacks.
Trend Micro threat researchers had been carefully monitoring for signs of Conficker activity and discovered increasing P2P communications from the Conficker peer nodes, believed to be hosted in Korea. The file, found in the Windows Temp folder, was created on April 7, 2009 at 07:41:21 PM, PDT.
The new variant, WORM_DOWNAD.E, runs using a random file name and random service name; it is known to connect to the following sites: myspace.com, msn.com, ebay.com, cnn.com, and aol.com. This also propagates via MS08-067 to external IPs if the Internet is available; however if no connections are found, it uses local IPs.
It spreads through vulnerabilities in the operating systems.
As always, Internet users are urged to install and update their security software to ensure their PCs are protected from Web threats like this that are fast, stealthy and hard-to-detect.