There’s been a lot of media interest in the last few days regarding what the Conficker worm might do on April Fool’s Day.
Well, here’s the bad news. I’m afraid it’s not possible for us to analyse any potential payload as it is not yet present in the Conficker code.
Some people have got rather confused as to what the April 1st deadline really means. The truth is that Conficker is not set to activate a specific payload on April 1st. Rather, on April 1st Conficker will begin to attempt to contact the 50,000-a-day potential call-home web servers from which it may receive updates.
So, setting the PC’s clock forward to April 1st will not allow anyone to analyse the payload as it won’t be available for download yet.
By the way, there is no guarantee that the download will happen on April 1st – it could happen on any day after that depending on when the authors choose to register a domain out of the 50,000 for each day.
Let’s not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib.
Of course, if you are infected by the Conficker worm now would be a very good time to download a free Conficker removal tool.
More information about Conficker:
- Passwords used by the Conficker worm
- How to stop the Conficker worm on an unpatched PC
- Download a podcast where Sophos expert Paul Ducklin discusses the true threat posed by the Conficker virus, with Patrick Gray, host of the ITRadio programme ‘Risky Business’
* Image source: Jean et Melo’s Flickr photostream (Creative Commons)