New Conficker Variants Add A Few New Tricks

Several top security sites have been warning of thew variants of the Conificker worm also know as the downandup virus. The latest version of the worm has been dubbed W32.Downadup.C or Conficker.c and has been redesigned to circumvent many of the latest techniques used to stop the spread of the virus.

Symantec Corp. has warned that this latest variant uses a new set of tools which is targeting antivirus software and security analysis tools with the aim of disabling them. Any processes found on an infected machine that contain an antivirus or security analysis tool string from the list below are killed:

• wireshark
• unlocker
• tcpview
• sysclean
• scct_
• regmon
• procmon
• procexp
• ms08-06
• mrtstub
• mrt.
• mbsa.
• klwk
• kido
• kb958
• kb890
• hotfix
• gmer
• filemon
• downad
• confick
• avenger
• autoruns

Symantec has also warned that version "C" has bypassed a previous attempt at blocking W32.Downadup.B domain-generation algorithm for communicating. Users can no longer expect protection by simply blocking the sites the worm was allowed to update from. The Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm.

The Conificker worm at one time was estimated to have infected nearly 10million PCs worldwide leading to the formation of a $250k reward for information leading to the viruses creators.

*Update*

Read the latest on the Conficker.C worm:

• Geek-News.Net Conficker April Fool's Joke Or Real Threat?
• PCMag.com - 'Conficker' Worm Wakes Up Overseas, But It's Quiet
  
• InformationWeek - Conficker's April Fools' Day Update Begins With A Yawn
  
• Geek-News.Net - As Expected Conficker Doesn't Live Up To The Hype