Technology.am (Apr. 11, 2009) —Another feature of the Conficker worm have been detected by researchers giving an extra clue about the intention of the creators–the worm installs malware that masquerades as antivirus software, Trend Micro said on Friday.

The worm is downloading a program called Spyware Protect 2009 and displaying warning messages saying that the computer is infected and offering to clean it up for $49.95, according to the Trend Micro blog.

The fake antivirus program also attempts to install a Trojan downloader that is programmed to download new versions of Spyware Protect 2009, according to Kasperky Lab’s blog. However, the domain the Trojan downloader was being accessed from has been shut down, the blog said.

The fake antivirus feature further bolsters the speculation that the motivation behind the worm is to make money and not a desire to disrupt computer or network operations.

Researchers were still analyzing new component code of the worm that began being spread via peer-to-peer and being downloaded off domains that host the Waledec worm on Wednesday but were finding the task difficult because the instructions are encrypted.

Nearly 60 percent of the infections monitored by IBM ISS are in Asia, followed by 18 percent each in Europe and South America, and 4 percent in North America, the statistics show. By country, China leads with 16.6 percent, followed by Brazil at 10.8 percent, Russia at 10.2 percent and Korea at 4.6 percent, according to ISS.