Thursday, April 09, 2009

Conficker/Kido starts with upgrade ...

The Conficker worm has started to update infected machines with a mystery package of data. It sprang into life late on 8 April. Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.
In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the older variant. The increased activity of Conficker/Kido and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.
This latest Conficker/Kido variant - Net-Worm.Win32.Kido.js (Kaspersky Lab name)- is very different to the previous ones, with some notable points: once again it’s a worm, and it’s only functional until 3rd May. Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.
One of the files is a rogue antivirus application. The rogue software, SpywareProtect2009, can be found on,, spywareprotector-2009. You can find a picture on the weblog from Kaspersky Lab.
And this is possibly not the end yet...