Conficker worm has been active

Saturday, April 11, 2009


Trend Micro said the purpose of the mysterious update, sent to other infected machines using peer-to-peer (P2P) file transfer software, was not immediately clear.

Ivan Macalintal, a Trend Micro advanced threats researcher, said Conficker began showing activity on Tuesday, nearly a week after the expected April 1 activation date that had computer security experts on alert around the world.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update," Macalintal wrote in a post late Wednesday on the TrendLabs Malware blog. "The Conficker/Downad P2P communications is now running in full swing!"

Macalintal said the worm was connecting to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com to detect whether a host computer is connected to the Web.

After performing the test, it deletes any traces of itself in the infected machine, he said, adding that it is scheduled to stop running the test on May 3.

"It runs and deletes all traces, no files, no registries etc," he said.

The worm remains present on an infected machine, however, and could be activated at a later date.

Trend Micro is monitoring the worm on an infected computer as part of the Conficker Working Group of security experts.

A task force assembled by Microsoft has been working to stamp out Conficker, also referred to as DownAdUp, and the software colossus has placed a bounty of 250,000 dollars on the heads of those responsible for the threat.

The worm, a self-replicating program, takes advantage of networks or computers that haven't kept up to date with security patches for Windows.

It can infect machines from the Internet or by hiding on USB memory sticks carrying data from one computer to another.

Conficker could be triggered to steal data or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.

Microsoft has modified its free Malicious Software Removal Tool to detect and remove Conficker. Security firms, including Trend Micro, Symantec and F-Secure, provide Conficker removal services at their websites.

The tell-tale signs that a computer is infected includes the worm blocking efforts to connect with websites of security firms providing online tools for removing the virus.

source: ph.news.yahoo.com

Related post:
Free download Conficker worm/Downadup worm removal tool
New security tool for Conficker worm/DownAdUP detection



My Zimbio share