A new version of the Conficker worm is to hit desktops on the April 1.
According to Don DeBolt, director of threat research at CA, the variant will be released on April Fools Day and ‘generate 50,000 URLS daily'. He claimed that generating a large amount of URLs will disguise where it may be calling to download instructions.
CA further claimed that it did not know exactly what those instructions might be, but it could involve downloading more malicious code or destroying files.
Following on from the detection of a second variant of Conficker - named ‘W32.Downadup.C' by Symantec's Peter Coogan - which was being pushed out to infected computers, the new variant appears to have defensive capabilities that weren't present in earlier versions.
While it spreads in the same manner, ‘Conficker.C' can disable some of the tools used to detect and eradicate it, including anti-virus and other anti-malware detection tools.
In a further detection, Trend Micro found another variant named WORM_DOWNAD.KK. Technical Communications spokesperson Jake Soriano claimed that it closely follows the trail of WORM_DOWNAD.A and WORM_DOWNAD.AD, which just late last month was discovered to have updated its functionalities.
While WORM_DOWNAD.KK attempts to connect to around 500 randomly selected domains at a time, this modification is seen as an effort to add survivability to the DOWNAD botnet. Like the other DOWNAD worms, this new variant also blocks access to anti-virus-related sites, as well as terminating security tools.
Trend Micro advanced threats researcher Paul Ferguson said that blocking these domains is almost impossible not only because of the daily volume, but also because there is a high possibility of legitimate domain collisions where DOWNAD generates domains already in use by legitimate entities.
