How to clean up a W32.Changeup infection

Article:TECH201560  |  Created: 2013-01-10  |  Updated: 2013-11-08  |  Article URL http://www.symantec.com/docs/TECH201560
Article Type
Technical Solution



Issue



Detections or behavior on one or more computers in your network are associated with W32.Changeup.


Error



Folders and files in file shares are being hidden and renamed. Clients and file servers have suspicious new files, e.g. porn.exe, passwords.exe, sexy.exe and secret.exe which come back after deletion.


Cause



Possible infection with W32.Changeup.

W32/Autorun.worm.aaeh [McAfee]
Gen:Variant.Symmi.6831 [F-Secure]
Worm.Win32.VBNA.b [Kaspersky]
Win32/Vobfus.MA [Microsoft]
Trj/CI.A [Panda Software]
W32/Autorun-BZN [Sophos]
WORM_VOBFUS.SMM2 [Trend]


Solution



Following is our Security Response writeup on W32.Changeup:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
Symantec Security Response Blog:  W32.Changeup keeps on giving:
http://www.symantec.com/connect/blogs/w32changeup-keeps-giving
Symantec Security Response Blog:  Chicken or Egg: Where does W32.Changeup Come From?
http://www.symantec.com/connect/blogs/chicken-or-egg-where-does-w32changeup-come
Symantec Security Response Blog - W32.Changeup - A Malicious Gift That Keeps On Giving
http://www.symantec.com/connect/blogs/w32changeup-malicious-gift-keeps-giving
 
The clean up plan for a W32.Changeup infection on a network:

  1. Disable Autorun - No exceptions -  see http://support.microsoft.com/kb/967715
     
  2. On your external firewall, block the following ports and domains

    • 7005
    • 8003
    • 9002
    • 9003
    • 9004

    See the end of this document for an updated list of domains to be blocked.
     
  3. Identify the threat.
    Common file names include:  porn.exe, passwords.exe, sexy.exe and secret.exe.
    Run a basic Full Scan on a workstation or server after they have been updated with the latest Rapid Release definitions:

    32 bit version
    http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsv5i32.exe

    64 Bit version
    http://definitions.symantec.com/defs/rapidrelease/symrapidreleasedefsv5i64.exe

    If the scan does not detect and clean the infection, it may be a new variant of W32.Changeup.
    (Rapid release virus definitions have undergone basic quality assurance testing by Symantec Security Response. The primary focus of these definitions are the rapid detection of newly emerging threats and they may be augmented later with more robust detection capabilities. While Symantec Security Response makes every effort to ensure that all virus definitions function correctly, you should understand that rapid release-quality virus definitions do pose some risks such as the higher potential for false positives).
    CRITICAL: Please submit several samples of the .exe files (from the list in Step 3 or other suspected .exe files- please do not include .inf or txt files) to the Security Response team at https://submit.symantec.com/websubmit/essential.cgi
    Security Response will send an automated response with a tracking number to the e-mail address included with the submission. Contact technical support for Symantec Endpoint Protection and forward this tracking number to put a high priority on the file submission.
     
  4. Identify the infected machines:

     
  5. Quarantine the infected/unprotected/under protected machines:
    • Changeup updates itself VERY quickly and that "unprotected server in the closet" will pull down an as-yet-undetected variant sooner or later, infecting the whole network once again.
    • Unprotected and under-protected machines need to be removed from the network until cleaned and protected.
    • Unprotected machines should be returned to the network only after being protected, checked for suspect files, and scanned clean.

     
  6. Clean the infected Machines:
    • Infected machines need to be scanned clean. Safe Mode is not necessary, just a basic Full System Scan.
    • See Step 3 for the download location for the latest Rapid Release definitions for clients.
    • Don’t forget file servers. This bears repeating.
    • Folders may have to be manually renamed or unhidden
    • Windows Update may have to be manually re-enabled.
    • These changes cannot be done as part of the automatic repair routine of Endpoint, as many users have intentionally hidden folders or disabled automatic Windows Update.
    Note:  In the event the computer cannot run a Full Scan, it can be booted to the Symantec Endpoint Recovery Tool (SERT) and scanned: Contact a SEP Support Analyst for details on how to download and use the SERT with the latest Rapid Release definitions.
     
  7. If there is any question that there may be unprotected/underprotected machines on the network, enable Network Scanning
    This may cause degradation across the network and can be disabled once the infection is removed.
    To enable Network Scanning from the Symantec Endpoint Protection Manager, please do the following:
    • Under the Policies Tab, select Antivirus and Antispyware.
    • Click the policy you would like to modify and select Edit the Policy.
    • Click File System Auto-Protect.
    • Under Network Settings, enable Network.
    • Click OK.
    • Assign the policy by clicking Assign the Policy, then check each group to which the policy should apply.
    • Click Assign, then click Yes.
     
  8. Prevent future outbreaks:
    • AutoPlay/Autorun is a spreading mechanism for thousands of worms and should be disabled. Microsoft has moved to this position as well. See http://support.microsoft.com/kb/967715
    • An “Open Share” is any share that does not require a password to access. Password-restricting shares can slow or stop a worm like this in their tracks.
    • Remove write-access on shares from users not needing this level of access.
    • Maintain a strict patching regimen. Changeup and threats like it often add new capabilities in response to new vulnerabilities.
    • Infected customers should block the Command and Control (C&C) servers or they quickly will become re-infected with new variants.
    • Enable Network Threat Protection and Proactive Threat Protection on the machines or verify you have an external firewall.  Note:  The SEP Firewall (NTP) can help stop a spread within the network whereas an external firewall can help prevent an infection from getting in.
    • Make sure non-windows based network storage devices are protected e.g. NAS devices, Linux servers.  Contact Symantec Sales for more information: 1-800-745-6054

 

DOMAINS TO BE BLOCKED ON YOUR EXTERNAL FIREWALL (Updated with latest list as of May 23rd, 2013):

 

22625.z0dns.com

domai.xddns.biz

domai.dns00.net

59423.z0dns.com

65497.z0dns.com

41512.z0dns.com

20415.z0dns.com
 

ns1.datetoday1.com
ns1.datetoday1.net
ns1.datetoday1.org
ns1.datetoday2.com
ns1.datetoday2.net
ns1.datetoday2.org
ns1.datetoday3.com

Domains formerly used by other variants:

- [subdomain].ddnsd.at
- [subdomain].noip.at
3d-game.com
4irc.com
92is.org
adult-sms.com
alexlucas.com
alfataxi.info
antisopa.org
artishok.ru
aviationparts.com
b0ne.com           
bbsindex.com
berlonicucine.com
bitbyte.biz
buildersbookbarn.com
buildingtradeseducation.com
bulkness.com
cardmoney.ru
chatnook.com   
chopball.org                     
chopbell.biz
chopbell.com
chopbell.info                    
chopbell.net                     
chopstickers.biz               
chopstickers.com
chopstickers.info
chopstickers.net
chopstickers.org              
chopsuwey.biz                 
chopsuwey.com
chopsuwey.info
chopsuwey.net
chopsuwey.org                
chopzones.biz                  
chopzones.com
chopzones.info
chopzones.net
chopzones.org
codeconline.net
couchness.com
darktech.org
ddns1.eu
ddnsd.at
ddnsx.eu:443
deaftone.com
dnsd.me
drophat.com
dtdns.com          
dtdns.net:443
dtdns.org
effers.com         
elexausa.com
etowns.net        
etowns.org
filesponge.net
flnet.org
helpcheck2.com
helpchecks.at
helpchecks.by
helpchecks.com
helpchecks.eu
helpchecks.info
helpchecks.net
helpupdated.net
helpupdated.org
helpupdatek.at
helpupdatek.eu
helpupdatek.tw
helpupdater.net
helpupdates.biz
helpupdates.com             
helpupdates.info
helpupdates.net
helpupdates.org
hitroe.com
howtocleanyourbody.com
imagehut2.cn
internet-against-sopa.org
kdns01.kz
mediashares.org
mixcoin.com
mixcoin.net
mixcoin.org
mobilcent.com
mobilcent.ru
msdip.com
musicmixa.info
musicmixa.net
musicmixa.org
musicmixb.co
musicmixc.com
musiczipz.com
mysearchhere.net
newbranch.org
nikapro.com
noip.at
no-ip1.com:81
noip1.nl
noip2.at
ns[ONE NUMBER].chopbell.com:8000
ns[ONE NUMBER].chopbell.net
ns[ONE NUMBER].chopstickers.com
ns[ONE NUMBER].chopsuwey.com
ns[ONE NUMBER].chopsuwey.net
ns[ONE NUMBER].chopsuwey.org
ns[ONE NUMBER].chopzones.com
ns[ONE NUMBER].chopzones.net
ns[ONE NUMBER].chopzones.org
ns[ONE NUMBER].couchness.com
ns[ONE NUMBER].datetoday[1-3].com:7005
ns[ONE NUMBER].datetoday[1-3].net:7005
ns[ONE NUMBER].datetoday[1-3].org:7005
ns[ONE NUMBER].helpchecks.net
ns[ONE NUMBER].helpupdated.com
ns[ONE NUMBER].helpupdated.net
ns[ONE NUMBER].helpupdated.org
ns[ONE NUMBER].helpupdatek.at
ns[ONE NUMBER].helpupdatek.eu
ns[ONE NUMBER].helpupdatek.tw
ns[ONE NUMBER].helpupdater.net
ns[ONE NUMBER].helpupdates.biz
ns[ONE NUMBER].helpupdates.com
ns[ONE NUMBER].helpupdates.info
ns[ONE NUMBER].helpupdates.net
ns[ONE NUMBER].helpupdates.org
ns[ONE NUMBER].mediashares.org
ns[ONE NUMBER].musicmixa.net
ns[ONE NUMBER].musicmixa.org
ns[ONE NUMBER].musicmixb.co
ns[ONE NUMBER].musicmixc.com
ns[ONE NUMBER].musiczipz.com
ns[ONE NUMBER].mysearchhere.net
ns[ONE NUMBER].player1253.com
ns[ONE NUMBER].player1352.com
ns[ONE NUMBER].player1352.net
ns[ONE NUMBER].player1352.org
ns[ONE NUMBER].player1523.com
ns[ONE NUMBER].player1532.com
ns[ONE NUMBER].searchhereonline.net
ns[ONE NUMBER].spansearcher.net
ns[ONE NUMBER].theimageparlour.net
ns[ONE NUMBER].thepicturehut.net
ns[ONE NUMBER].timecheckings.com
ns[ONE NUMBER].timecheckings.net
ns[ONE NUMBER].timedate[1-3].com:7005
ns[ONE NUMBER].timedate[1-3].net:7005
ns[ONE NUMBER].timedate[1-3].org:7005
ns[ONE NUMBER].videoall.org
ns1.couchness.com
ns1.helpchecks.com
ns1.helpchecks.net
ns1.helpupdater.net
ns1.helpupdates.com
ns1.helpupdates.net
ns1.timedate[1-3].com
ns1.timedate[1-3].net
ns1.timedate[13].org
paris-hack.com
pasta-factory.co.il
peazoom.com
peiseler.us
player1352.com
player1352.net
player1352.org
player1532.com
politix.ru
powerstationbbs.ca
premium-short-code.com
pronash.com
purpleoctopus.com
rymyheh.ru
scieron.com
seamayor.com
sendrome.com
slyip.com
slyip.net
sms-agregator.ru
smscoin.com
smscoin.net
smscoin.ru
smspay4.com
spansearcher.net
spinsearcher.org
suroot.com        
tempchat.ru
thethoughtzone.net
timecheckings.com
timecheckings.net
userend.info
userstart.info
usezoom.com
videoall.org
vrera.com
xlget.com
youmult.com
zdns.eu
zm7.org
zoomslovenia.com
zvonokla.com

 




Article URL http://www.symantec.com/docs/TECH201560


Terms of use for this information are found in Legal Notices