A new version of the Conficker virus has struck computers around the world. During the night of 8/9 April, the malware instructed infected computers to download new code containing the latest variant as well as a new spam bot and fake anti-virus protection.
According to Kaspersky Labs, the malware – which it refers to as Kido – can once again be classified as a worm. Kaspersky believes the new version could have date-limited functionality until 3 May 2009.
The security software company says that, in addition to downloading updates for itself, the malware also downloads two new files to infected machines.
One is a rogue antivirus application (detected as FraudTool.Win32.SpywareProtect2009.s) that is being spread from sites located in Ukraine. When it's run, the program offers to delete "detected viruses" for a charge of $49.95.
The second file is Email-Worm.Win32.Iksmas.atz, also known as Waledac, which is able to steal data and send spam.
Bitdefender researchers report that the new version of the malware is able to circumvent detection and disinfection using the removal tools created for its previous versions.
In addition to blocking access to any web site of antivirus vendors, as well as third-parties offering online scanning services or removal tools, the malicious binary has been updated to refuse users access to http://bdtools.net, BitDefender's online repository for distributing disinfection and removal tools. As a result, the company has located its updated disinfection tools online at www.disinfecttools.com, a domain that is not blacklisted on compromised machines.
Symantec Security Response also notes that the new variant of Conficker drops the Waledac binary on to infected machines.
"W32.Waledac, one of the most active spam bots, steals sensitive information, turns computers into spam zombies, and establishes a back door remote access," the company states.
In addition, Symantec reports that the new variant reintroduces the MS08-067 exploit vector, which was removed in the .C variant.