We’ve seen some activity in the Conficker space in the past two days and this has caused some questions from customers. Specifically, there have been reports of two possible new variants of Conficker. Our colleagues over at the Microsoft Malware Protection Center (MMPC) have done a thorough analysis of both of these and have determined that there’s really only one new variant, which they’re calling Conficker.E. Most importantly, the signatures that protect against Conficker.A are also effective at protecting against Conficker.E. The other possible new variant is only a slightly modified version of Conficker.D and our Conficker.D signatures protect against it. Also, our virus encylopedia entry for Conficker.D has been updated to include information about this slightly modified version.
There’s more detailed information on Conficker.E on the MMPC blog and in the encyclopedia entry. But at a high level, this has similar propagation methods to Conficker.B (attempting to exploit MS08-067, attacking weak passwords on administrative shares and spreading via removable media like USB drives). However, it also has instructions so that it will also delete itself on May 3, 2009.
The important thing is that our guidance for protecting yourself remains the same. If your systems and security software are fully updated, you don’t need to be concerned about Conficker.
As always, we’re continuing our work with the Conficker Working Group and will update you as we have new, important information.
Thanks.
Christopher
*This posting is provided “AS IS” with no warranties, and confers no rights*