By Gregg Keizer
March 1, 2009
Computers infected by the Downadup worm will "phone home" to several
legitimate URLs this month, including one owned by Southwest Airlines,
potentially disrupting those sites, a security researcher said Sunday.
According to a researcher at Sophos Plc., the Downadup worm -- also
known as Conficker -- will try to contact wnsux.com on March 13 for
further instructions. That URL, however, is owned by Southwest Airlines,
and redirects visitors to the airline's primary southwest.com address.
"On March 13, the millions of machines infected with Conficker will be
contacting wnsux.com for further instructions," said a Sophos researcher
identified as MikeW in an entry on the company's blog. "They won't get
any [instructions], but that may certainly disrupt the operation of
Once it has infected a PC, Downadup generates a list of 250 possible
domains -- the list changes daily -- selects one, then uses that URL to
reach a hacker-controlled server from which it downloads additional
malware to install on the hijacked computer. The wnsux.com address is
one of the 7,750 domains that the worm may use during March, said MikeW.
Best Selling Security Books and More!