The Conficker worm has begun to update the machines it has infected with a new set of instructions to spread to other machines and then self-destruct, security experts say.
Security researchers tracking the worm said some of the infected computers began receiving instructions on April 7 from other infected machines. Conficker is able to send updates to computers it has infected either by directing the computers to visit websites or through a peer-to-peer network of infected machines.
Last week Conficker had computer and internet organizations worldwide up in arms against it because it was known that a variant of the worm would begin accelerating the speed with which it reached out to websites on April 1.
It was thought the worm might send out instructions that day, but instead it appears to have waited a week before doing so, and rather than sending the instructions through a website, it sent them over the peer-to-peer network.
The instructions tell the computers to attempt to contact other computers and exploit a vulnerability in older Microsoft Windows products — Windows 2000, Windows XP and Windows Server 2003 — that would allow the worm to take over the computer and expand its network of infected machines.
The instructions had appeared on previous versions of the worm but were removed in the Conficker C variant, leading security experts to believe the people behind the virus were trying to temporarily slow its growth to make it harder to track.
The new instructions also direct computers to visit established websites such as myspace.com, msn.com, ebay.com, cnn.com, and aol.com, but once there no code is downloaded or weaknesses are exploited, leading some firms to suggest the worm is simply checking to confirm the computer is connected with the internet.
The instructions also appear to have a time limit, Symantec reports. On May 3, 2009, the new instructions will not only stop running, but the worm will activate a self-removal program, although it’s not known when it does this whether it will leave behind some legacy of the worm or perhaps another, different worm.
Kevin Haley, director of Symantec Security Response, said the self-destruction instruction is unique, and may be the virus writer’s way of making it harder for users to track its progress.
“Conficker is the name on everybody’s lips right now, so if you remove the traces of Conficker but leave something else behind, users won’t know what to look for,” he said.
Symantec has speculated Conficker might be connected to another spam bot, called Waledac.