Back to overview

Threat intelligence

Conficker.E appears (April 9, 2009)

by Security News

A week after the Conficker.C (Worm) update algorithm became active, infected machines updated themselves to Conficker.E. However, the update came through Peer-to-Peer channels, not through the web control domains!

The new variant is an executable EXE file unlike previous variants that were DLLs. It's also known as WORM_DOWNAD.E (Trend), W32.Downadup.E (Symantec). The new variant has following characteristics:

  • Spreads by exploiting MS08-067 vulnerability, infecting USB devices, and via weak network shares.
  • It has a self-destruct trigger set for May 3, 2009 when it will deactivate and remove itself.
  • It attempts to connect to the following domains to determine the victim machine's IP address:
    • www.whatsmyipaddress.com
    • www.ipdragon.com
    • www.findmyip.com
    • www.ipaddressworld.com
    • www.findmyipaddress.com
    • www.myipaddress.com
    • checkip.dyndns.com
    • checkip.dyndns.org
  • It also attempts to connect to the following web sites:
    • myspace.com
    • msn.com
    • ebay.com
    • cnn.com
    • aol.com
  • It listens on TCP port 5453 and broadcasts the service by sending SSDP discover requests.

    • screenshot

  • It does not generate 50,000 domains per day unlike previous variant. In fact, it doesn't appear to contact any of the control domains via HTTP. It can still be controlled via P2P.
  • It deletes the original dropped file and removes any file system/registry traces from the infected machine.

The infected machines were also instructed via Conficker P2P network to:

  • Download hxxp://goodnewsdigitalXXXX.com/XXXX.exe, which is an encrypted copy of a Waledac Trojan. SonicWALL GAV detects the Trojan as GAV: Suspicious#waledac.10 (Worm) and the drive-by site component as GAV: Waledac#html (Trojan). More information related to Waledac Trojan could be found in our SonicAlerts archive.
  • Download rogue antivirus program - Spyware Protect 2009 from spy-protect-2009XX.com, spywrprotect-2009XX.com, or spywareprotector-2009XX.com. The software finds non-existent threats and offers to remove them for $49.95. SonicWALL GAV detects this rogue anti-virus program as GAV: SpywareProtect2009_3 (Trojan).

SonicWALL UTM research team is monitoring the situation and releasing GAV signatures for Conficker variants as soon as they are discovered. SonicWALL Gateway AntiVirus provides protection against Conficker.E with GAV: Conficker.E (Worm) signature.

Below is the screenshot of the Rogue AV site that was still active at the time of writing this article: screenshot

There are over 3 million computers infected with Conficker worm variants. Below are the hits on our generic signature: hits graph

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.