Hi Marc & CharleyO,
Yes Conficker-C digs in deeper and kills all these processes when found:
ny processes found on an infected machine that contain an antivirus or security analysis tool string from the list below are killed:
• wireshark
• unlocker
• tcpview
• sysclean
• scct_
• regmon
• procmon
• procexp
• ms08-06
• mrtstub
• mrt.
• mbsa.
• klwk
• kido
• kb958
• kb890
• hotfix
• gmer
• filemon
• downad
• confick
• avenger
• autoruns
Also has another registration algorythm. Shortly the third version represented in the Downadup.C module is designed mainly to provide more protective actions to infected Windows-based machines so they can better defend themselves from anti-virus software and other eradication methods.
"It's more aggressive, it has more services, but only for those already infected with the previous worm"
polonus