Conficker spreads as Waledec delivers mal-entine

The Conficker/Downadup worm continues spreading via a Windows hole and USB devices, while a Waledec worm tricks victims with Valentine e-mail.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Jan. 29, 2009 2:57 p.m. PT

2 min read

The Waledec worm lures people into downloading malware with the promise of receiving a Valentine. Trend Labs Malware Blog

Security experts are tracking two computer worms that have infected millions of PCs and are creating botnets that can be awakened at any time.

More than 9 million computers have already been infected with the Conficker, or Downadup, worm that spreads via a hole on unpatched Windows machines (Microsoft issued an emergency patch to plug the hole in October), by USB devices and other removable storage devices, and can use a built-in password cracker to guess weak network passwords.

Infected machines send an alert back to a host machine, providing location and other information about the infected machine, and attempt to find other IP addresses to continue spreading. It blocks access to domains where antivirus tools are located and has other programming that makes it difficult to disinfect, Paul Ferguson, an advanced threats researcher for Trend Micro, said on Thursday.

Conficker is rated as a critical threat for Windows 2000, XP, and Windows Server 2003. But beyond spreading, Conficker so far hasn't done much--which has experts worried.

"There may be another boot that's going to drop," Ferguson said. "It's purely speculation, but to have that many PCs out there infected and not doing anything with them doesn't make sense."

And now there is another botnet surfacing from computers that are being infected with a worm called Waledac that attracts victims with a Valentine's Day-related e-mail.

The e-mail contains a link to a page with images of about a dozen hearts on it and asks "Guess which one is for you?" Once an image is clicked on the visitor is prompted to download an executable file which can install malicious code, according to a an advisory issued on Thursday by the United States Computer Emergency Readiness Team. The worm spreads by spamming e-mail addresses on the infected machine.

"Waledec is the new Storm," Ferguson said, referring to the prolific e-mail worm that has been cropping up since at least 2007. "The same people wrote it; it's almost identical to Storm."

In fact, there could be one group behind both Conficker and Waledec/Storm, he speculated. "My suspicions are that they are (the same creators) because there are some hints (in the coding) that indicate that it is being developed by the same organization."