Conficker.E - P2P Updates Have Started for new variant

Posted Thursday, April 09, 2009 3:14 PM by hwaldron

Trend is calling the latest variant Conficker "E".  As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating.

Conficker.E - P2P Updates Have Started for new variant

QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.  The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.

Conficker.E - Trend Micro Information

Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

-- (Un)Trigger Date – May 3, 2009, it will stop running
-- Runs in random file name and random service name
-- Deletes this dropped component afterwards
-- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
-- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
-- Connects to the following sites:,,,,
-- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc


No Comments