Multiple sources have determined that the Conficker worm, which has already amassed a large botnet, will change its behavior on April 1st. It is suspected that this new behavior will result in the worm updating itself or installing additional malware onto infected PCs.
We are releasing two IDP signatures today to detect this new Conficker behavior. The first, WORM:CONFICKER:C-ACTIVITY, detects Conficker.C making HTTP requests to get the date from popular internet websites. The second, WORM:CONFICKER:C-ACTIVITY-2, detects Conficker.C attempting to update itself by downloading an executable file from a malicious web server.
These signatures aren't protective measures, but function to alert to machines that are possibly infected with Conficker.C. If you see these signatures being detected in your network, the PC using the source IP address might be infected with Conficker.