After skipping out on its April 1 debutante ball, the Conficker worm has returned with a smile and a new payload. The worm has begun to update infected clients with a strain researchers are calling Conficker.E, and this process has revealed some interesting insight into just what may be the worm’s origins.

In a post on Trend Micro’s Countermeasures blog, Rik Ferguson explains what’s going on:

As well as reactivating the original propogation (sic) functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?

Conficker’s original method of propagation exploits a hole that Microsoft fixed in October, and this has returned after being removed from March’s -C variant. More interestingly, the new variant is set to delete itself without a trace on May 3.

Trend Micro’s threat info page explains:

It creates a temporary .SYS file which is detected by Trend Micro as TROJ_DOWNAD.E. It then creates a service using the said .SYS file, thus the malicious routines of this malware are also exhibited in the system. After creating the service, the temporary file is deleted.

It modifies the limitation of TCP maximum half-connection attempts number. After doing this, the created driver service is unloaded and deleted, leaving no trace in the registry.

It creates a thread that opens a random port to communicate with a remote computer.

The theory goes that the new code is a keylogger or a part of a larger package that the botnet is preparing to distribute later on. All the while, researchers are especially keen on the relationship to the Storm Worm which took unsecured computers by storm throughout the spring of 2007. Researchers believe that this relationship may mean that the same cybercrime ring is behind both exploits, giving authorities a direction in their hunt to arrest Conficker’s creators.