Chicago (IL) – Computer Associates (CA) said that it has been monitoring a new variant of the Conficker (Downadup) worm that is apparently set to spread beginning April 1. Win32/Conficker.C is prepared for a massive launch, according to the security firm, targeting up to 50,000 URLs every day.
According to CA, Conficker.C is a substantial improvement over the first two versions of the worm and much more sophisticated in the way it plants itself on user computers. The firm said that this latest version has lost some of its spreading functionality, but may not trigger a reaction from security software as it terminates tools used to monitor and remove Conficker from affected systems. For example, as illustrated below, it can terminate Process Explorer.
The payload does not cause immediate damage to files, but the worm is set for future action when called upon. It modifies and lowers Windows security settings, deletes system restore points, disables certain services such as Windows Defender and Error Reporting Service, terminates 23 security-related services, blocks access to 71 websites of security software developers and is prepared to download arbitrary files from a range of websites.
CA said that Conficker.C will attempt to access 50,000 URLs daily and try to access 500 of them. The company recommends users to update their security software before the worm will become active.