We knew it would try to make a buck somehow, but until now Conficker hasn't done much beyond spread and update. That changed yesterday, when the worm began installing a rogue antivirus app called SpywareProtect2009 on infected machines.
A Kaspersky researcher reports that the worm began using its peer-to-peer functionality yesterday to pull down new files, including updates and the fake security program. The fake app goes with the usual scareware tactics of identifying threats on the computer (ironically true in this case) and offering to clean the PC for $49.95.
The scareware tactic makes big money for online scammers, and I've talked to some experts who guessed Conficker might take this step. In addition to the scareware download, Conficker is also pulling down an update for a .E variant that will once again allow the worm to spread using a Microsoft vulnerability (MS08-067), and will also attempt to stop more existing programs and block attempts to reach additional domains (see the full list of messed-with processes and domains from Sophos).
The new update also adds an interesting new self-destruct mechanism to automatically delete itself after May 3, 2009. A Microsoft Malware Protection Center blog post has a good list of the new .E variant changes, and the Today @ PC World blog lists some new clues that might point to its creators.
If you see a scareware pop-up or other indicator on your PC, it's important to know whether it's from a relatively harmless visit to a Web site, or whether it 's from an existing malware infection like Conficker. This story can help you tell which is which. And for a quick and easy way to tell if you're infected with Conficker, use the Conficker Working Group's Eye Chart.