# Conficker wakes up, updates via P2P, drops payload



## RootbeaR (Dec 9, 2006)

"The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said."
http://news.cnet.com/8301-1009_3-10215678-83.html?part=rss&subj=news&tag=2547-1_3-0-20


----------



## Smiles n' grins (Jun 8, 2007)

> The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, *and is set to shut down on May 3*, according to the TrendLabs Malware Blog.


I somehow have the feeling that that's not going to happen, unless the makers think that the code will be decrypted where there would be a possibility that they would be found out.


----------



## RootbeaR (Dec 9, 2006)

"The new Conficker has also started to exhibit signs of traditional malware. Using one of the oldest tricks in the book, called scareware, the new Conficker C downloads a fake antivirus program called Spyware Protect 2009 (pictured). F-Secure says it's called Spyware Guard 2008. The fake program then delivers a pop-up message telling you that your computer is infected, but for only $49.95 the fake antivirus program can remove the malware. You are then directed to a bogus website where you unwittingly enter all your credit card information and then the criminals are laughing all the way to the bank -- your bank, that is. The scareware scam seems to be coming from a server in the Ukraine, according to the Washington Post."
http://www.networkworld.com/news/2009/041009-conficker-awakens-starts.html?hpg1=bn


----------

