The April Fools Day Conficker scare didn’t amount to much, although that doesn’t mean that Conficker poses no danger. It’s still out there, silently spreading and perhaps collecting information, and may well become one of the biggest botnets ever–so don’t make the mistake of being lulled into a false sense of security because nothing happened on April 1.

What’s perhaps even more alarming is that there are copycats out there. The Neeris worm, which has been around for a while, has been updated to target the same MS08-067 Microsoft flaw that Conficker took advantage of. Like Conficker, Neeris downloads a copy of the worm onto the victim’s machine via HTTP, and then patches the system’s TCP/IP layer. Also like Conficker, Neeris spreads via the autorun function, and it adds an “Open folder to view files” Autoplay option.

A recent blog entry by two Microsoft researchers noted that the Neeris variant spiked between March 31 and April 1, coinciding with the Conficker date everyone was so worried about. However, the researchers note that there is no evidence that the Neeris variant is related to Conficker other than being a copycat. The researchers speculate that the perpetrators of both exploits may collaborate with each other, and that Conficker may actually have been designed based on the original Neeris worm design.

Neeris is an IRC bot, originally spread through MSN Messenger. More recently, more methods for replicating itself have been added, and the latest variant can also be spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and now, exploiting the same MS08-067 flaw that Conficker targeted.

The same proactive measures can be taken to prevent attack by Neeris as are taken to prevent attack by Conficker. Install the MS08-067 patch, and use AutoPlay carefully and only with familiar applications, and disable Autorun completely.