How to clean up a W32.Changeup infection

Article:TECH201560  |  Created: 2013-01-10  |  Updated: 2014-09-01  |  Article URL http://www.symantec.com/docs/TECH201560
Article Type
Technical Solution



Issue



Detections or behavior on one or more computers in your network are associated with W32.Changeup.


Error



Folders and files in file shares are being hidden and renamed. Clients and file servers have suspicious new files, e.g. porn.exe, passwords.exe, sexy.exe and secret.exe which come back after deletion.


Cause



Possible infection with W32.Changeup.  Other vendors detect this threat family as:

W32/Autorun.worm.aaeh [McAfee]
Gen:Variant.Symmi.6831 [F-Secure]
Worm.Win32.VBNA.b [Kaspersky]
Win32/Vobfus.MA [Microsoft]
Trj/CI.A [Panda Software]
W32/Autorun-BZN [Sophos]
WORM_VOBFUS.SMM2 [Trend]


Solution



W32.Changeup is a worm that spreads through removable and mapped drives.  The worm downloads more threats and misleading applications on to the compromised computer.  Please carefully read Security Response's writeup on W32.Changeup and Best Practices for Troubleshooting Viruses on a Network.

Also see these entries on Connect:

The following blog post lays out effective steps to counter an outbreak:

Also note that Symantec has IPS and Application and Device Control (ADC) defenses against W32.Changeup and its evolving variants.  Ensuring these components are installed and enabled will greatly enhance SEP's ability to combat this threat. 

 

The clean up plan for a W32.Changeup infection on a network:

  1. Disable Autorun - No exceptions -  see http://support.microsoft.com/kb/967715
     
  2. On your external firewall, block the following ports and domains

    • 7005
    • 8003
    • 9002
    • 9003
    • 9004

    See the end of this document for an updated list of domains to be blocked. Submitting a sample, once identified, to threatexpert.com will generate an automated technical description: that may also reveal additional domains or ports.
     
  3. Identify the infected machines:
    • The entire network needs to be audited for unprotected machines, out of date machines, and infected or likely infected machines.
    • Traffic on the ports and domains listed in Step 2 is a good indicator of a potentially infected machine.
    • Fileservers mapped by infected machines must be scrutinized for infection- don’t forget these! Protecting and managing fileservers is often the key to solving any outbreak scenario.
    • Monitoring SEPM risk and SONAR reports will help to highlight computers that are demonstrating suspicious activity or repeated detections 
     
  4. Identify the threat.
    Run a Full Scan (Manual Scan) on a workstation or server after they have been updated with the latest Rapid Releasedefinitions.  See How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file or How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client for details on how to apply the latest Rapid Release definitions.  

    If the scan does not detect and clean the infection, it may be a new variant of W32.Changeup.  How to run the Threat Analysis Scan in Symantec Help (SymHelp) will assist in identifying suspicious files.  Common W32.Changeup file names include porn.exe, passwords.exe, sexy.exe and secret.exe.

    CRITICAL: Please submit several samples of the undetected .exe files to Security Response for analysis. The Connect article Symantec Insider Tip: Successful Submissions! contains important instructions.
     
  5. Quarantine the infected/unprotected/under protected machines:
    • Changeup updates itself VERY quickly and that "unprotected server in the closet" will pull down an as-yet-undetected variant sooner or later, infecting the whole network once again.
    • Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
    • Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

     
  6. Clean the infected Machines:
    • Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
    • See Step 4 for the download location for the latest Rapid Release definitions for clients.
    • Don’t forget file servers. This bears repeating.
    • Folders may have to be manually renamed or unhidden
    • Windows Update may have to be manually re-enabled.
    • These changes cannot be done as part of the automatic repair routine of Endpoint, as many users have intentionally hidden folders or disabled automatic Windows Update.
    Note:  In the event the computer cannot run a Full Scan, it can be booted to the Symantec Endpoint Recovery Tool (SERT) and scanned: Contact a SEP Support Analyst for details on how to download and use the SERT with the latest Rapid Release definitions.
     
  7. If there is any question that there may be unprotected/underprotected machines on the network, enable Network Scanning
    This may cause degradation across the network and can be disabled once the infection is removed.
    To enable Network Scanning from the Symantec Endpoint Protection Manager, please do the following:
    • Under the Policies Tab, select Antivirus and Antispyware.
    • Click the policy you would like to modify and select Edit the Policy.
    • Click File System Auto-Protect.
    • Under Network Settings, enable Network.
    • Click OK.
    • Assign the policy by clicking Assign the Policy, then check each group to which the policy should apply.
    • Click Assign, then click Yes.
     
  8. Prevent future outbreaks:
    • AutoPlay/Autorun is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well. See http://support.microsoft.com/kb/967715
    • An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
    • Remove write-access on shares from users not needing this level of access.
    • Maintain a strict patching regimen. Changeup and threats like it often add new capabilities in response to new vulnerabilities.
    • Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
    • Enable Network Threat Protection and Proactive Threat Protection on the machines or verify you have an external firewall.  Note:  The SEP Firewall (NTP) can help stop a spread within the network whereas an external firewall can help prevent an infection from getting in.
    • Make sure non-windows based network storage devices are protected e.g. NAS devices, Linux servers.  Contact Symantec Sales for more information.

 

DOMAINS TO BE BLOCKED ON YOUR EXTERNAL FIREWALL (Updated with latest list as of May 23rd, 2013):

 

22625.z0dns.com

domai.xddns.biz

domai.dns00.net

59423.z0dns.com

65497.z0dns.com

41512.z0dns.com

20415.z0dns.com
 

ns1.datetoday1.com
ns1.datetoday1.net
ns1.datetoday1.org
ns1.datetoday2.com
ns1.datetoday2.net
ns1.datetoday2.org
ns1.datetoday3.com

Domains formerly used by other variants:

- [subdomain].ddnsd.at
- [subdomain].noip.at
3d-game.com
4irc.com
92is.org
adult-sms.com
alexlucas.com
alfataxi.info
antisopa.org
artishok.ru
aviationparts.com
b0ne.com           
bbsindex.com
berlonicucine.com
bitbyte.biz
buildersbookbarn.com
buildingtradeseducation.com
bulkness.com
cardmoney.ru
chatnook.com   
chopball.org                     
chopbell.biz
chopbell.com
chopbell.info                    
chopbell.net                     
chopstickers.biz               
chopstickers.com
chopstickers.info
chopstickers.net
chopstickers.org              
chopsuwey.biz                 
chopsuwey.com
chopsuwey.info
chopsuwey.net
chopsuwey.org                
chopzones.biz                  
chopzones.com
chopzones.info
chopzones.net
chopzones.org
codeconline.net
couchness.com
darktech.org
ddns1.eu
ddnsd.at
ddnsx.eu:443
deaftone.com
dnsd.me
drophat.com
dtdns.com          
dtdns.net:443
dtdns.org
effers.com         
elexausa.com
etowns.net        
etowns.org
filesponge.net
flnet.org
helpcheck2.com
helpchecks.at
helpchecks.by
helpchecks.com
helpchecks.eu
helpchecks.info
helpchecks.net
helpupdated.net
helpupdated.org
helpupdatek.at
helpupdatek.eu
helpupdatek.tw
helpupdater.net
helpupdates.biz
helpupdates.com             
helpupdates.info
helpupdates.net
helpupdates.org
hitroe.com
howtocleanyourbody.com
imagehut2.cn
internet-against-sopa.org
kdns01.kz
mediashares.org
mixcoin.com
mixcoin.net
mixcoin.org
mobilcent.com
mobilcent.ru
msdip.com
musicmixa.info
musicmixa.net
musicmixa.org
musicmixb.co
musicmixc.com
musiczipz.com
mysearchhere.net
newbranch.org
nikapro.com
noip.at
no-ip1.com:81
noip1.nl
noip2.at
ns[ONE NUMBER].chopbell.com:8000
ns[ONE NUMBER].chopbell.net
ns[ONE NUMBER].chopstickers.com
ns[ONE NUMBER].chopsuwey.com
ns[ONE NUMBER].chopsuwey.net
ns[ONE NUMBER].chopsuwey.org
ns[ONE NUMBER].chopzones.com
ns[ONE NUMBER].chopzones.net
ns[ONE NUMBER].chopzones.org
ns[ONE NUMBER].couchness.com
ns[ONE NUMBER].datetoday[1-3].com:7005
ns[ONE NUMBER].datetoday[1-3].net:7005
ns[ONE NUMBER].datetoday[1-3].org:7005
ns[ONE NUMBER].helpchecks.net
ns[ONE NUMBER].helpupdated.com
ns[ONE NUMBER].helpupdated.net
ns[ONE NUMBER].helpupdated.org
ns[ONE NUMBER].helpupdatek.at
ns[ONE NUMBER].helpupdatek.eu
ns[ONE NUMBER].helpupdatek.tw
ns[ONE NUMBER].helpupdater.net
ns[ONE NUMBER].helpupdates.biz
ns[ONE NUMBER].helpupdates.com
ns[ONE NUMBER].helpupdates.info
ns[ONE NUMBER].helpupdates.net
ns[ONE NUMBER].helpupdates.org
ns[ONE NUMBER].mediashares.org
ns[ONE NUMBER].musicmixa.net
ns[ONE NUMBER].musicmixa.org
ns[ONE NUMBER].musicmixb.co
ns[ONE NUMBER].musicmixc.com
ns[ONE NUMBER].musiczipz.com
ns[ONE NUMBER].mysearchhere.net
ns[ONE NUMBER].player1253.com
ns[ONE NUMBER].player1352.com
ns[ONE NUMBER].player1352.net
ns[ONE NUMBER].player1352.org
ns[ONE NUMBER].player1523.com
ns[ONE NUMBER].player1532.com
ns[ONE NUMBER].searchhereonline.net
ns[ONE NUMBER].spansearcher.net
ns[ONE NUMBER].theimageparlour.net
ns[ONE NUMBER].thepicturehut.net
ns[ONE NUMBER].timecheckings.com
ns[ONE NUMBER].timecheckings.net
ns[ONE NUMBER].timedate[1-3].com:7005
ns[ONE NUMBER].timedate[1-3].net:7005
ns[ONE NUMBER].timedate[1-3].org:7005
ns[ONE NUMBER].videoall.org
ns1.couchness.com
ns1.helpchecks.com
ns1.helpchecks.net
ns1.helpupdater.net
ns1.helpupdates.com
ns1.helpupdates.net
ns1.timedate[1-3].com
ns1.timedate[1-3].net
ns1.timedate[13].org
paris-hack.com
pasta-factory.co.il
peazoom.com
peiseler.us
player1352.com
player1352.net
player1352.org
player1532.com
politix.ru
powerstationbbs.ca
premium-short-code.com
pronash.com
purpleoctopus.com
rymyheh.ru
scieron.com
seamayor.com
sendrome.com
slyip.com
slyip.net
sms-agregator.ru
smscoin.com
smscoin.net
smscoin.ru
smspay4.com
spansearcher.net
spinsearcher.org
suroot.com        
tempchat.ru
thethoughtzone.net
timecheckings.com
timecheckings.net
userend.info
userstart.info
usezoom.com
videoall.org
vrera.com
xlget.com
youmult.com
zdns.eu
zm7.org
zoomslovenia.com
zvonokla.com

 





Article URL http://www.symantec.com/docs/TECH201560


Terms of use for this information are found in Legal Notices