From F-Secure:

# On April 8th a new update was made available to Conficker.C infected machines via the P2P network
# The new file, which we call Conficker.E, is executed and co-exists alongside the old infection
# It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
# There’s a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
# There’s also a connection to rogue anti-virus products as we’ve seen it end up on Conficker.C infected machines. The rogue product was Spyware Guard 2008.
# Conficker.E deletes itself if the date is May 3, 2009 or later.

According to Trend Micro’s summary:

Two things can be summed up from the events that transpired:

1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

Here’s a link to more information from Trend Micro

Here’s a link to the conficker “eye test” – it’ll let you know if your machine is infected or not.

http://www.talkbiz.com/confickertest/

From Microsoft: Conficker infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Once your computer is infected, it is now “owned” by the Conficker worm and its creators. It becomes one of millions of infected PC’s making up a massive “army” of infected machines that could possibly be used to implement the author’s bidding at any time.  Here’s the scary part- all these infected machines ( or “bots”) are currently programmed to “check in” with their master on April 1st to get new instructions. No one knows exactly what will happen on that day.

Pundits have speculated a variety of different malicious deeds this massive bot army could undertake on 4/1. One possibility is that the author’s will grab sensitive personal data off all these machines. Another thought is that they will launch massive denial of service attacks on major websites.  Still others believe that this bot army will be sold off for the purposes of sending out Spam worldwide.  No one, except the authors knows for sure.

Regardless, make sure your machines have AntiVirus software, and that its up-to-date. If you’ve just recently installed AntiVirus, make sure you do a full system scan. Make sure Automatic Updates are turned on.

The Honeynet project just released a new python script you can run to scan your network for infected machines. Here’s a link to it:

http://honeynet.org/node/388

For more info about this worm you can check out any of the following links:

http://en.wikipedia.org/wiki/Conficker

http://vil.nai.com/vil/content/v_153464.htm

This one’s REAL technical but a great read if you have the time:

http://mtc.sri.com/Conficker/addendumC/

Let’s be careful out there….