And the latest Conficker worm news is …

While the doomsday predictions for April 1st may have proved to be unnecessarily alarmist, it seems that Conficker is starting to show signs of activity. Seemingly, a new variant known as WORM_DOWNAD.E has been recently been discovered by a well-known security company. The new variant:

1. (Un)Trigger Date – May 3, 2009, it will stop running
2. Runs in random file name and random service name
3. Deletes this dropped component afterwards
   Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
4. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
5. Connects to the following sites:
   Myspace.com
   msn.com
   ebay.com
   cnn.com
   aol.com

The new variant also attempts to download a binary associated the Waladec worm, which has led to some speculation as to whether there could be some connection between Conficker and Waladec. 

So, what can you do to protect yourself from the new variant? Basically, it’s a matter of taking the same steps that you needed to take in order to protect your systems against the original worm (in other words, you should already be protected!):

1. Immediately install patches/updates for MS08067 and other vulnerabilities as soon as vendors release these patches. Configure your PC to receive automatic updates and patches from Microsoft and software vendors.
2. Make sure your security software is up to date.
3. Disable the “Drive Auto-run” feature to avoid infections from USB drives.
4. Employ secure passwords using a combination of letters, numbers and symbols and frequently change them.
5. Take caution when searching online for DOWNAD and Conficker information. There are reports of rogue antivirus packages that are taking advantage of the situation. They will tell you that you are infected and ask you to pay money to download their application, which in many cases turns out to be malware.

Interestingly, the new variant is set to untrigger on May 3rd 2009. Does that mean that it will cease to be a threat on that date? Seemingly not. It appears that the worm will simply cease to fetch the Waladec binary after that date.

What will Conficker do next? Your guess is as good as mine. But, while you’re waiting to find out, it would be a good idea to check that you’ve taken the steps outlined above.