Kaspersky Lab detects new version of Conficker worm (Net-Worm.Win32.Kido.js)

Kaspersky Lab, a leading developer of secure content management solutions, announces that a new version of the malicious program Kido (aka Conficker and Downadup) has been detected.

 

Kaspersky said computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P on April 8-9, telling infected machines to download new malicious files.

 

The latest Conficker variant differs significantly from previous variants: the malware is now once again a worm. Initial analyses suggest it has date-limited functionality until May 3, 2009.

 

In addition to downloading updates for itself, Conficker also downloads two new files to infected machines. One is a rogue antivirus application (detected as FraudTool.Win32.SpywareProtect2009.s) that is being spread from sites located in Ukraine. Once activated, the program offers to delete “detected viruses” for a charge of $49.95.

 

The second file which Conficker downloads to infected systems is Email-Worm.Win32.Iksmas.atz. This email worm is also known as Waledac, and is able to steal data and send spam. When this malicious program was first detected in January 2009, a lot of IT experts noted the similarity between Conficker and Iksmas. The Conficker epidemic was mirrored by an email epidemic of a similar scale caused by Iksmas.

 

“Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. In just 12 hours, one bot alone sent out 42,298 spam messages,” Aleks Gostev, head of Kaspersky Lab’s Global Research and Analysis Team, said in comments about the current situation.

 

“Virtually every email contained a unique domain. This was obviously done to prevent anti-spam filters from detecting the mass mailings using methods that analyze the frequency with which a specific domain is used. Overall, we detected the use of 40,542 third-level domains and 33 second-level domains. Virtually all of these sites are located in China and are registered in the names of various people, most probably invented.

 

“A simple calculation shows that one Iksmas bot sends out around 80 000 emails in 24 hours. Assuming that there are 5 million infected machines out there, the botnet could send out about 400 billion spam messages over a 24-hour period!”

 

Kaspersky Lab is currently carrying out a detailed analysis of the new Kido variant. The company’s experts are working on a new version of the KKiller utility, taking into account the specific functionality of the latest version of the worm.

 

Users of Kaspersky Lab products have no cause for concern – the new version of the Kido worm (Net-Worm.Win32.Kido.js) has been detected heuristically from the outset (as HEUR:Worm.Win32.Generic), as has the variant of Iksmas that it downloads.

 

Source : kasperskynews.com

 

Related posts:

1. Kaspersky Lab analyses new version of Kido (Conficker)
2. Conficker worm changes tactics again
3. New Removal tools for ( Conficker.E, Downup.E, Downadup.E and Kido.E )
4. Conficker virus begins to attack PCs: experts
5. Case Conficker ( Know More About Conficker,Downadup,Downup and Kido Worm ) (Video)