Chicago (IL) – The third Conficker/Downadup worm, which hit computers on April 1, was almost a disappointment given the excitement that had built up in the weeks before. Those expectations were followed by a lot of nothing, but it now seems that the malware has been quietly activated and downloaded what the security firm described as yet another variant of the worm now called WORM_DOWNAD.E.
TrendMicro said that Conficker apparently had created a new file with a size of 119,296 bytes in the Windows Temp folder. That file did not arrive via a HTTP download, but through an encrypted 134,880-byte TCP response from a known Conficker node that the company believes is located somewhere in Korea. The new file is believed to be a new Conficker variant – WORM_DOWNAD.E.
TrendMicro said that this new variant will stop running on May 3, 2009, it runs in a random file name and random service name, it deletes the dropped component afterwards and uses a vulnerability described in the Microsoft security bulletin MS08-067 to spread.
According to the company, the new worm opens port 5114 and serves as HTTP server by broadcasting via SSDP request; it then tries to connect to Myspace.com, msn.com, ebay.com, cnn.com and aol.com.
As previous versions it does not leave a trace of itself in the host machine. It runs and deletes all traces and no files as well as registries, TrendMicro said.