04 February 2009
An Analysis of Conficker's Logic and Rendezvous Points: http://mtc.sri.com
Describes Conficker Variants A and B

18 February 2009
Update: An Analysis of Conficker's Logic and Rendezvous Points: http://mtc.sri.com
Introduces Conficker Variant B++

08 March 2009
Conficker  C Analysis:   http://mtc.sri.com/addendumC
Describes Conficker Variant C.


03 March 2009

• 1) The Symantec article does not illustrate that there are multiple variants of B. It simply says B has two mechanisms to distribute payload: rendezvous points and upload_through_patch mechanism. This led us to believe the original version of B was being discussed. It turns out the upload_through_patch mechanism might be absent in the original B version and this article was referencing a more advanced version.
• 2) It does not make any reference to named-pipes being used as a delivery mechanism.

At this point, we are not sure if Eric's blog entry refers to the original B-variant we analyzed, B++, or a different variant.

Nevertheless, our report is the first  to demonstrate that there are at least two variants of B (B, B++), which contact the same set of rendezvous points and that the differences between these variants run deeper than MD5s. With the rendezvous points vector largely defanged by the actions of the Cabal, the former presents a less potent threat than the latter. Thus, knowing the differences between these two families (and their respective sizes) is critical in assessing the magnitude of Conficker's threat.