A new modification of Win32.HLLW.Shadow.based (also known as Kido/Conficker) has been discovered by virus analysts of Doctor Web. The worm ensures operation of the Shadow botnet that is expected to switch to another operation mode on April 1, 2009.

On April 1 2009 malicious software on all computers compromised by Win32.HLLW.Shadow.based will be updated. The worm will generate 50 000 domain names every twenty four hours and use 500 domains from the list to receive instructions regarding its operation. The updating process will be controlled to prevent a significant increase in computing load of hosting servers and make sure that the malicious activities will remain undetected.

There are several ways in which Win32.HLLW.Shadow.based spreads. Typically it gets into a system from a data storage device or from a network drive. The worm also uses the SMB protocol of Windows networks and performs brute force dictionary attacks to access target machines remotely. Besides, it takes advantage of the Windows vulnerability resolved by an update described in the Microsoft Security Bulletin MS08-067.

Doctor Web applies to irresponsible users who don’t care if their machines have been compromised. Inaction causes almost as much damage as Win32.HLLW.Shadow.based itself for your computers become zombies in the botnet that help spread the worm and make the botnet larger.

Users of other anti-viruses are recommended to do the following:

1. Immediately install all security updates as Win32.HLLW.Shadow.based uses known Windows vulnerabilities.
2. Update virus databases.
3. If your anti-virus doesn’t detect the worm or can’t cure the system of the malicious program use the latest version of Dr.Web CureIt! to perform the full scan of your system.

Users of Dr.Web anti-viruses are protected from all modifications of Win32.HLLW.Shadow.based.