Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Conficker.E - P2P Updates Have Started for new variant

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
harrywaldron
Junior Member


Joined: 24 Jul 2007
Last Visit: 09 Apr 2009
Posts: 43
Location: Roanoke, Virginia
PostPosted: Thu Apr 09, 2009 8:22 am    Post subject: Conficker.E - P2P Updates Have Started for new variant Reply with quote
Trend is calling the latest variant Conficker "E". As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating. Please ensure you are up-to-date on all MS security updates and keep AV protection updated as well

Conficker.E - P2P Updates Have Started for new varianthttp://blogs.zdnet.com/BTL/?p=16082
http://isc.sans.org/diary.html?storyid=6157
http://news.cnet.com/8301-1009_3-10215678-83.html

Quote:
The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.


Conficker.E - Trend Micro Information
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
http://blog.trendmicro.com/a-look-inside-conficker-p2p-traffic/

Quote:
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

-- (Un)Trigger Date – May 3, 2009, it will stop running
-- Runs in random file name and random service name
-- Deletes this dropped component afterwards
-- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
-- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
-- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com
-- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc


McAfee information as AVERT labs has also documented this new threat:

DAT release 5579 or higher provides protection.

McAfee information
http://www.avertlabs.com/research/blog/index.php/2009/04/09/new-conficker-variant/

McAfee - Conficker Resource Center
http://www.mcafee.com/us/threat_center/conficker.html

McAfee Stinger - Can now clean latest variant
http://vil.nai.com/vil/stinger/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group