Conficker Gets Update, Does ... Something

Conficker has started doing its thing apparently. Its thing has yet to be defined but everyone should panic anyway, okay?

Exactly one week after it was supposed to get its ducks in a line, reports began to trickle in claiming that Conficker had began updating via P2P between infected computers and dropping a mystery payload on infected machines.

According to PCWorld, researchers at Trend Micro reported that infected machines had begun receiving a binary update which tells Conficker to start scanning for other computers that haven't patched the Microsoft vulnerability the virus exploits.

The new update also tells Conficker to contact,,, and apparently to confirm that the infected machine is connected to the Internet, Rik Ferguson of Trend Micro told PCWorld. What’s more Conficker also blocks infected PCs from visiting specific sites. Previous Conficker versions wouldn't let people browse to the website of security companies. This new update is timed to stop running on May 3 although it’s unclear if this deadline will pass as uneventfully as the last.

Trend Micro also notes in a blog post that it does not leave a trace of itself in the host machine. “It runs and deletes all traces, no files, no registries etc,” wrote Ivan Macalintal, an advanced threat researcher.

Conficker has infected millions of computers with the specific number varying, depending on who you ask. The number of infected computers ranges from under 5 million to nearly 15 million machines. You can read all about Conficker in our previous posts, here and here. So what’s the verdict, are you guys starting to panic yet?

(Via PCWorld/Trend Micro)

Create a new thread in the UK News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • LePhuronn
    This sounds more and more like an experiment in panic to me. There have been viruses that have generated a bigger media buzz than this, but it's only ever been for a few days then somebody gets the remedy online and it all goes away.

    Conficker (and surely it should've been spelt Confickr) has been bubbling around seemingly for ages, doing crafty updates, installing mystery payloads, sending P2P messages, and whatnot...yet nothing actually happens and security companies must be having kittens trying to work it all out.

    Either this is an attempt at diversion for something big to kick off elsewhere or this is purely a psychological exercise.

    I'm half-tempted though to fire up one of my old Athlon boxes and infect it just to see what's going on!
  • will_chellam
    Well, I've been fascinated (and a little worried) following the confickr updates on the news...

    Whoever wrote this has some serious coding talent, it's fascinating to see the cat and mouse game of the authorities and antivirus companies vs. the virus and the sense of anticipation as to what might happen is immense.

    The last round of briefings was quite interesting - this encrypted code update and the fact the virus will remove itself in may makes me think something is going to come to a head at that time... we can assume that the programmer expects to have achieved his objectives at that time, what those are is a mystery - my worst fear is the code update was a bios rootkit, although a standard windows rootkit could be as bad.

    Imagine that, 15 million machines permamnantly under the programmers control to reinfect and ccommand at will - that's got to be worth a hefty price on the open (black) market....