Several of you have emailed me for information about the latest Conficker update. Consider this post an update to my "no bull" guide to Conficker.
Q: So, what's happening?
A: On April 8th a new update was made available to machines infected with Conficker variant C. This new update is called Conficker.E by many antivirus vendors.
Q: How does this update come in?
A: As an .exe file (previous conficker variants were all .dll files) via peer-to-peer (P2P).
Q: What does this new update do?
A: It seems that this update is a scareware package. It consists of a fake antispyware tool called Spyware Guard 2008. This update is a rogue antispyware tool that when triggered will "discover" that the system is infected with malware and ask the user for a payment to remove it. Of course this is all a scam and the system remains infected after the paid-for detox.
Detailed removal instructions for Spyware Guard 2008 can be found here.
This update also reintroduces Conficker's ability to exploit the MS08-067 Windows vulnerability (Conficker.C didn't have this feature).
It's also suspected that Conficker.E will coral PCs and put them to work as part of a spambot network.
Q: Anything else interesting about Conficker.E?
A: Well, it is set to delete itself if the date is May 3, 2009 or later. Gives us an idea as to when the next update could be due.
Q: How widespread is Conficker.E?
A: Well, this this update is being sent to systems running Conficker.C, and it is estimated that this has infected a few million systems, that's a good starting point for how far this might go. Given that this update also leverages MS08-067 then it has the potential to spread even further.
Q: Is it time to panic?
A: Yes!!! ... Nah, of course it isn't. Update your PCs, scan your systems and get on with life.
Q: What should I do if I/a client/a colleague/a friend/a family member is still worried?
A: Send them here for a quick and simple test. If that's not enough, send them to the Sunbelt Software or BDToolssite so they can scan their systems for Conficker.
Don't Panic! :-)