Following is our Security Response writeup on W32.Changeup:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
Symantec Security Response Blog:  W32.Changeup keeps on giving:
http://www.symantec.com/connect/blogs/w32changeup-keeps-giving
Symantec Security Response Blog:  Chicken or Egg: Where does W32.Changeup Come From?
http://www.symantec.com/connect/blogs/chicken-or-egg-where-does-w32changeup-come
Symantec Security Response Blog - W32.Changeup - A Malicious Gift That Keeps On Giving
http://www.symantec.com/connect/blogs/w32changeup-malicious-gift-keeps-giving
 
The clean up plan for a W32.Changeup infection on a network:
1.  Disable Autorun - No exceptions -  see http://support.microsoft.com/kb/967715

2.  On your external firewall, block the following ports and domains

• 7005
• 8003
• 9002
• 9003
• 9004

• See the end of this document for an updated list of domains to be blocked.

3.  Identify the threat.
Common file names include:  porn.exe, passwords.exe, sexy.exe and secret.exe.
Run a basic Full Scan on a workstation or server after they have been updated with the latest Rapid Release definitions:
-
32 bit version
http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsv5i32.exe

64 Bit version
http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsv5i64.exe

If the scan does not detect and clean the infection, it may be a new variant of W32.Changeup.
(Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. The primary focus of these definitions are the rapid detection of newly emerging threats and they may be augmented later with more robust detection capabilities. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, you should understand that rapid release-quality virus definitions do pose some risks such as the higher potential for false positives).
CRITICAL: Please submit several samples of the .exe files (from the list in Step 3 or other suspected .exe files- please do not include .inf or txt files) to the Security Response team at https://submit.symantec.com/websubmit/essential.cgi
Security Response will send an automated response with a tracking number to the e-mail address included with the submission. Contact technical support for Symantec Endpoint Protection and forward this tracking number to put a high priority on the file submission.

4.  Identify the infected machines:
• Machines with AutoProtect Alerts should be scanned with up-to-date definitions.
o How to update the SEPM with latest .jdb defs:  http://www.symantec.com/business/support/index?page=content&id=TECH102607&locale=en_US
o Link for Latest Rapid release defs:  http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=rr
• The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
• Traffic on the ports and domains listed in Step 2 is a good indicator of a potentially infected machine.
• Fileservers mapped by infected machines must be scrutinized for infection- don’t forget these! Protecting and managing fileservers is often the key to solving any outbreak scenario.

5.  Quarantine the infected/unprotected/under protected machines:
• Changeup updates itself VERY quickly and that "unprotected server in the closet" will pull down an as-yet-undetected variant sooner or later, infecting the whole network once again.
• Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
• Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

6.  Clean the infected Machines:
• Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.  
• See Step 3 for the download location for the latest Rapid Release definitions for clients.
• Don’t forget file servers. This bears repeating.
• Folders may have to be manually renamed or unhidden
• Windows Update may have to be manually re-enabled.
• These changes cannot be done as part of the automatic repair routine of Endpoint, as many users have intentionally hidden folders or disabled automatic Windows Update.
Note:  In the event the computer cannot run a Full Scan, it can be booted to the Symantec Endpoint Recovery Tool (SERT) and scanned:
Contact a SEP Support Analyst for details on how to download and use the SERT with the latest Rapid Release definitions.

7. If there is any question that there may be unprotected/underprotected machines on the network, enable Network Scanning -
This may cause degradation across the network and can be disabled once the infection is removed.
To enable Network Scanning from the Symantec Endpoint Protection Manager, please do the following:
• Under the Policies Tab, select Antivirus and Antispyware.
• Click the policy you would like to modify and select Edit the Policy.
• Click File System Auto-Protect.
• Under Network Settings, enable Network.
• Click OK.
• Assign the policy by clicking Assign the Policy, then check each group to which the policy should apply.
• Click Assign, then click Yes.

8.  Prevent future outbreaks:
• AutoPlay/Autorun is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well. See http://support.microsoft.com/kb/967715
• An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
• Remove write-access on shares from users not needing this level of access.
• Maintain a strict patching regimen. Changeup and threats like it often add new capabilities in response to new vulnerabilities.
• Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
• Enable Network Threat Protection and Proactive Threat Protection on the machines or verify you have an external firewall.  Note:  The SEP Firewall (NTP) can help stop a spread within the network whereas an external firewall can help prevent an infection from getting in.
• Make sure non-windows based network storage devices are protected e.g. NAS devices, Linux servers.  Contact Symantec Sales for more information: 1-800-745-6054

DOMAINS TO BE BLOCKED ON YOUR EXTERNAL FIREWALL (Updated with latest list as of April 19, 2013):

Domains formerly used by other variants: