Kaspersky Lab analyzes new version of Conficker

Kaspersky Lab, a leading developer of secure content management solutions, announces that a new version of the malicious program Conficker (aka Kido and Downadup) has been detected.

During the night of 8th/9th April, computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files, thus activating the Kido botnet.

This latest Conficker variant differs significantly from previous variants: the malware is now once again a worm. Initial analyzes suggest it has date-limited functionality until 3rd May 2009.

In addition to downloading updates for itself, Conficker also downloads two new files to infected machines. One is a rogue antivirus application (detected as FraudTool.Win32.SpywareProtect2009.s) that is being spread from sites located in Ukraine. When it’s run, the program offers to delete “detected viruses” for a charge of $49.95.

The second file which Conficker downloads to infected systems is Email-Worm.Win32.Iksmas.atz. This email worm is also known as Waledac, and is able to steal data and send spam. When this malicious program was first detected in January 2009, a lot of IT experts noted the similarity between Kido and Iksmas. The Conficker epidemic was mirrored by an email epidemic of a similar scale caused by Iksmas.