get /vulubmqa http/
get /npms http/
get /wvmvcnrb http/
Each random string change after a random (maybe) time, so it's very difficult follow the behaviour. A good choice may be change at runtime the timer with a slow time for a better dissecting. The following screenshot shown the code zone where they was seen.. just "created" by the worm.
During the test, it was seen that one command generate a png image content http response while another one generate a binary stream http response. A better investigation is progress. If possible will be published raw data provided by conficker.e as http response