Conficker Now Definitely Downloading Updates

[Peaches]

9 April 2009, 13:11

Conficker now definitely downloading updates

Trend Micro reports that the Conficker.C (or Downad) worm has now indeed begun to download updates – not, however, from the web sites that many have been watching, but through its peer-to-peer function. The experts say they stumbled on this while observing the Windows Temp folder and the network traffic on an infected system. In contrast to Conficker.A and .B, the .C version can establish a P2P network with other infected systems and use it to download further programs and receive commands. Trend Micro says this P2P operation is now going full blast.

In the case under investigation, the system fetched its encrypted update from a P2P node in Korea and installed it. That transformed the worm into the .E variant, which displays new characteristics. Among other things, it attempts to wipe all its tracks from a system by deleting previous registry entries and from then on using random file names and service names. The worm also opens port 5114 and listens out for connection requests with an inbuilt HTTP server. Finally, it connects up to the myspace.com, msn.com, ebay.com, cnn.com and aol.com domains to test whether it has a connection with the internet.

Full story at Heise Security - http://tinyurl.com/cehajh

>>>>>>>>>

[Peaches]

What to do if your computer is infected with Conficker

Conficker has a feature that prevents a user on an infected machine from accessing a security site to get a fix tool. To get around that, Symantec recommends doing the following:

Go to Command Prompt and type "net stop dnscache," which disables the DNS cache. You will get a message that the DNS client service is stopped. You can now proceed to access the security website or download the fix tool.