Until this week, Conficker hadn’t done much beyond duplicating itself and spreading. Looks like it is finally started acting beyond that.

Early yesterday, a posting at viruslist alerted that,

The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files.

This latest Kido variant – Net-Worm.Win32.Kido.js – is very different to previous ones, with two notable points: once again it’s a worm, and it’s only functional until 3rd May.

Infected machines can show an offering for scareware that promises to clean the PC for $49.95. Besides the scareware download attempt, conficker may also download;

• an update for a variant that will allow the worm to spread using a Microsoft vulnerability, to stop existing programs and block attempts to reach additional domains

• Email-Worm.Win32.Iksmas.atz to infected systems. This email worm is also known as Waledac, and may be able to steal data and send spam.

An eyechart from the conficker working group makes it easy to determine if you are infected.

See instructions for removal at Microsoft, Symantec and this blog for insight on using group policies to deal with conficker in an Active Directory environment.