Ivan Macalintal, a Trend Micro advanced threats researcher, said Conficker began showing activity on Tuesday, nearly a week after the expected April 1 activation date that had computer security experts on alert around the world.

“As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update,” Macalintal wrote in a post late Wednesday on the TrendLabs Malware blog. “The Conficker/Downad P2P communications is now running in full swing!”

Macalintal said the worm was connecting to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com to detect whether a host computer is connected to the web.

After performing the test, it deletes any traces of itself in the infected machine, he said, adding that it is scheduled to stop running the test on May 3.

“It runs and deletes all traces, no files, no registries etc.,” he said.

The worm remains present on an infected machine, however, and could be activated at a later date.

Trend Micro is monitoring the worm on an infected computer as part of the Conficker Working Group of security experts.

A task force assembled by Microsoft has been working to stamp out Conficker, also referred to as DownAdUp, and the software colossus has placed a bounty of US$250,000 on the heads of those responsible for the threat.

The worm, a self-replicating program, takes advantage of networks or computers that haven’t kept up to date with security patches for Windows.

It can infect machines from the Internet or by hiding on USB memory sticks carrying data from one computer to another.

Conficker could be triggered to steal data or turn control of infected computers over to hackers amassing “zombie” machines into “botnet” armies.

Source: AFP