Conficker #3: It’s Y2K all over again, perhaps

Chicago (IL) – The third variant of the Conficker worm was set to strike today, but to a general surprise, humanity still exists. Will Conficker-C, despite the dramatic warnings, be as harmless as the Y2K switch more than nine years ago?

You knew it was coming. The third release of Conficker-C had to be an April Fool’s joke. A post on F-Secure’s website from earlier today says it all: “So it’s been April 1st for almost 18 hours now in New Zealand and it’s the early hours of April 1st on the east coast of the United States. So what’s going on? So far – nothing.”

So, we and our computers are apparently still alive and there have been virtually no reports of disaster. All we have right now is a lot of head-0scratching and confusion what may have happened. And April Fool’s jokes surrounding possible Conficker-C infections, including advice to use environmentally-friendly sprays to clean the worm from the hard drive. Of course, cautious users know that the code may already be on a lot of computers, sleeping and waiting until it is activated.
   
“The (malicious) hackers can tell their worm to do something any day of the year; they’re just as likely to do it tomorrow or next Wednesday or in August,” Graham Cluley of security software firm Sophos told Cnet. The April 1 message in the Conficker-C code may have been overrated in the end. “This was such an invisible change inside the code. It was inconsequential to the infected computer that maybe (the creators) didn’t think there would be such a frenzy,” Cluley said. So, perhaps, Conficker-C may be the most successful April 1 story today.

Still the potential threat of the third Conficker worm should not be taken lightly. According to security software company CA, Conficker-C is a substantial improvement over the first two versions of the worm and is much more sophisticated in the way it plants itself on user computers. The firm said that this latest version has lost some of its spreading functionality, but may not trigger a reaction from security software as it terminates tools used to monitor and remove Conficker from affected systems. For example, it can terminate Process Explorer.  

The payload does not cause immediate damage to files, but the worm is set for future action when called upon. It modifies and lowers Windows security settings, deletes system restore points, disables certain services such as Windows Defender and Error Reporting Service, terminates 23 security-related services, blocks access to 71 websites of security software developers and is prepared to download arbitrary files from a range of websites.