Oh hey dudes it wasnt fake. It became conficker.e
It now does this:
1. (Un)Trigger Date – May 3, 2009, it will stop running
2. Runs using a random file name and random service name
3. Deletes this dropped component afterwards
4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
5. Opens port 5114, and serves as an HTTP server by broadcasting via SSDP request
6. Connects to the following sites:
* Myspace.com
* msn.com
* ebay.com
* cnn.com
* aol.com
It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.
Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary described below (07:41:23):
IP download file
The domain currently resolves to an IP address that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary.
Two things can be summed up from the events that transpired:
1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/#ixzz0CfVxc5DE
