Over the last few days many reports have emerged concerning a new variant of Downadup (a.k.a. Conficker), which has been dubbed Downadup.B++ or Conficker.C. While one could categorize Downadup into three variants (or even more), Symantec products will detect all known variants of Downadup as either Downadup.A or Downadup.B.
Unfortunately, in addition to differences in names, variant differentiation also exists between vendors. Some vendors have a different detection for every single Downadup binary—with a differing MD5 hash—resulting in more than 30 different Downadup “variants.” Some others don’t differentiate at all and just have a single name with no variant differentiation.
However, the important point regarding Downadup is not whether this is another variant, but rather is it a new variant; i.e., if it has been released recently. Fortunately, Downadup.B++ / Conficker.C is not a newly released variant. This variant has been around since the main outbreak of Downadup, and most vendors already have detections for it.
The main item that has prompted the industry to highlight this sample as another variant is the emergence of its peer-to-peer behavior. This behavior was analyzed and discussed previously, in detail, by Eric Chien in the blog entry Downadup: Peer-to-Peer Payload Distribution. Symantec customers have been protected from this Downadup.B++ / Conficker.C variant for some time now, as long as they have kept their definitions up to date.
Message Edited by Trevor Mack on 02-24-2009 08:01 AM