that it has found a new variant of the virulent worm that will identify antivirus software or security analysis tools running on the infected PC, and attempt to shut down those programs. This is a strong signal that the worm's mysterious creators haven't abandoned their creation in the face of worldwide attention, as some in the industry have theorized, but may still have plans to make a buck off their work.
Vincent Weafer, Vice President, Symantec Security Response, says the company has only seen the new variation as an update that was sent to an existing worm on a honeypot (a machine that's purposely left infected to watch for updates and changes). Symantec hasn't yet seen this functionality in a new worm variant that can spread on its own, Weafer says, but that may be coming.
In addition to the strike against security software, which is a common tactic for malware, the new functionality also expands the lists of domains Conficker will check each day for updates from 250 to 50,000. This is a clear attempt to counter that attempts to block access to those domains each day.
That coalition is largely successful, Weafer says, but while the worm's ability to reach a domain for an update is much lowered, it's not zero. And if one infected PC in a network can sneak through to pick up this update, it may be able to spread it to other already infected PC's using . Weafer estimates current infections in the hundreds of thousands, down from millions after a heavy worldwide cleanup effort.
Also, Symantec is still in the process of investigating the new code, according to Weafer, and may still find other new tricks in the new variant.