From the “Evolution is not always a good thing” files:
Conficker, the dreaded much-hyped worm that was supposed to trigger “something” on April 1st but didn’t has evolved (again). Multiple anti-virus vendors are now reporting a new variant of Conficker (called WORM_DOWNAD.E by Trend Micro and W32/Confick-D by Sophos).
The new Conficker variant also has an activation date attached to it — this time it’s May 3rd.
According to Trend Micro the new variant runs in random file name and random service name. It also deletes its original download, leaving no traces in the Windows registry. What that means is if you’re just looking for a file that say “conficker,” you’re not going to find it.
In my opinion, detecting it should be as straight forward as previous Conficker iterations. For one, this version of Conficker opens up (according to Trend Micro) port 5114 to serve as an HTTP server.