Several of you have emailed me for information about the latest Conficker update. Consider this post an update to my “no bull” guide to Conficker.
Q: So, what’s happening?
A: On April 8th a new update was made available to machines infected with Conficker variant C. This new update is called Conficker.E by many antivirus vendors.
Q: How does this update come in?
A: As an .exe file (previous conficker variants were all .dll files) via peer-to-peer (P2P).
Q: What does this new update do?
A: It seems that this update is a scareware package. It consists of a fake antispyware tool called Spyware Guard 2008. This update is a rogue antispyware tool that when triggered will “discover” that the system is infected with malware and ask the user for a payment to remove it. Of course this is all a scam and the system remains infected after the paid-for detox.
Detailed removal instructions for Spyware Guard 2008 can be found here.
This update also reintroduces Conficker’s ability to exploit the MS08-067 Windows vulnerability (Conficker.C didn’t have this feature).
It’s also suspected that Conficker.E will coral PCs and put them to work as part of a spambot network.
Q: Anything else interesting about Conficker.E?
A: Well, it is set to delete itself if the date is May 3, 2009 or later. Gives us an idea as to when the next update could be due.
Q: How widespread is Conficker.E?
A: Well, this this update is being sent to systems running Conficker.C, and it is estimated that this has infected a few million systems, that’s a good starting point for how far this might go. Given that this update also leverages MS08-067 then it has the potential to spread even further.
More at; http://blogs.zdnet.com/hardware/?p=4131
Update for GP at; http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-variants-update.aspx
Q: So, what’s happening?
A: On April 8th a new update was made available to machines infected with Conficker variant C. This new update is called Conficker.E by many antivirus vendors.
Q: How does this update come in?
A: As an .exe file (previous conficker variants were all .dll files) via peer-to-peer (P2P).
Q: What does this new update do?
A: It seems that this update is a scareware package. It consists of a fake antispyware tool called Spyware Guard 2008. This update is a rogue antispyware tool that when triggered will “discover” that the system is infected with malware and ask the user for a payment to remove it. Of course this is all a scam and the system remains infected after the paid-for detox.
Detailed removal instructions for Spyware Guard 2008 can be found here.
This update also reintroduces Conficker’s ability to exploit the MS08-067 Windows vulnerability (Conficker.C didn’t have this feature).
It’s also suspected that Conficker.E will coral PCs and put them to work as part of a spambot network.
Q: Anything else interesting about Conficker.E?
A: Well, it is set to delete itself if the date is May 3, 2009 or later. Gives us an idea as to when the next update could be due.
Q: How widespread is Conficker.E?
A: Well, this this update is being sent to systems running Conficker.C, and it is estimated that this has infected a few million systems, that’s a good starting point for how far this might go. Given that this update also leverages MS08-067 then it has the potential to spread even further.
More at; http://blogs.zdnet.com/hardware/?p=4131
Update for GP at; http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-variants-update.aspx
