Microsoft Malware Protection Center - Conficker.E

The Microsoft Malware Protection Center has developed a comprehensive analysis of "E":

Microsoft Malware Protection Center - Conficker.E
http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-variants-update.aspx

QUOTE: However, deeper analysis shows the following (reminder, we are continuing to research this, but the differences are significant enough that we will be designating this new variant as Conficker.E):

* Exploits MS08-067

* Contains code to spread via network shares

* Drops a driver similar to early variants, using the same mechanisms as Conficker.B.

* Opens a web listener on a pseudo-random port between 1024 and 9999 based on the volume serial number of the system drive.

* Appears to appends a stream of randomly generated garbage to itself before offering itself for further propagation.  (This will result in untrustworthy file identification information like the ones I use above to inform other researchers as to the specific variant I am talking about; but our community can work its way around that.)

* Contains some of the same IP-filtering used in Conficker.D (Don’t go to certain IP ranges)

* Periodically connect to the following URLs to check for internet connectivity:

* Periodically connect to one of the following sites (at random) to determine its external IP address:

* Deletes itself on and after May 3rd 2009

* Uses SSDP to find Internet gateway devices (i.e. routers) and issues a SOAP command on the device to open an external TCP port and redirect it to an internal IP:port.

* Drops a DLL component that contains P2P functionality

* A very key difference between the .E variant and previous A-D variants.  The .E variant executes simultaneous to the existing Conficker.D already on that infected machine.