New variant of Conficker worm circulates

A new variant of the Conficker Internet worm is circulating that opens up a backdoor that could allow an attacker to distribute malware to infected machines, the US-CERT organization warned on Monday.

The new Conficker/Downadup worm, dubbed "Conficker B++," uses a new backdoor with "auto-update" functionality, CERT said in an advisory.

Microsoft says there is no indication that systems infected with previous variants of Conficker can automatically be re-infected with the new variant, CERT said.

Previous versions of Conficker took action to prevent further exploitation of the vulnerability, Microsoft said in an advisory of its own.

"We've discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload," said Microsoft, which is offering a $250,000 reward to stop the Conficker worm. "The payload only executes if it is successfully validated by the malware. However, there doesn't appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant."

The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October.

Conficker also spreads via removable storage devices like USB drives, and network shares by guessing passwords and user names.

Meanwhile, the previous versions of Conficker have been busy. Conficker.A has affected more than 4.7 million IP addresses, while its successor, Conficker.B, has affected 6.7 million IP addresses, with infected hosts totaling fewer than 4 million computers for both, according to a technical report by SRI International.