Third Conficker Worm Wields: Most Resilient Yet

Dennis Faas's picture

The frightening Conficker worm is just getting bigger and meaner all the time. W32.Downadup.C, a third variant of the Conficker/Downadup worm, is reportedly being pushed out to systems that are already infected.

Analysis of the third variant of the worm by Symantec is still in the early stages, but their initial research found a couple of new attributes -- one of which includes targeting antivirus software and security tools with the intention of disabling them. (Source: symantec.com)

New Variant Protects itself from AntiVirus Software

The Conficker/Downadup authors moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain-generation algorithm in response to the security industry's success in cracking the W32.Downadup.B domain-generation algorithm. (Source: symantec.com)

Symantec is not seeing an increase in customer infections for this threat but they are keeping a close eye on it.

Earlier versions of the conficker/downadup worm attempted to disable antivirus software but the newest variant is designed to provide more protective actions to infected PCs so it can better defend itself from antivirus software and other methods of remediation.

A Modular Component For Currently Infected PCs

Vincent Weafer, Vice president of Symantec Security Response, says that W32.Downadup.C is a more aggressive modular component for machines currently infected with the Conficker/Downadup worm.  The new version does not attempt to self-replicate and appears to behave more like a Trojan than a worm, noting that it's more robust in defending itself. (Source: pcworld.com)

A list of processes found on infected machines that contain an antivirus program or security analysis tool that are killed can be found at Symantec's forum. (Source: symantec.com)

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet