Video Screencast Help
Security Response

Changes Afoot for Changeup

Created: 22 Aug 2013 20:31:29 GMT • Updated: 23 Jan 2014 18:04:33 GMT • Translations available: 日本語
Masaki Suenaga's picture
+1 1 Vote
Login to vote

We have been fighting the W32.Changeup family of worms for a long time and have written about it many times
 

image1_10.png

Figure 1. W32.Changeup prevalence
 

One characteristic of W32.Changeup is that it is written in Microsoft Visual Basic 6.0 and the viral part of its program code is seen in the program file, but it may appear to be obfuscated. However, for the first time in W32.Changeup’s history we have found a new variant that does not show the viral part of its program code in the file.

The program file is built in native code (Intel X86 code) and the startup object is set to ‘Form605’.
 

image2_5.png

Figure 2. Program file’s startup code seen in X86 instructions
 

Once the code is run, the memory where the program once ran will be completely rewritten.
 

image3_5.png

Figure 3. Startup code in program on memory
 

The replaced program is also built with Visual Basic 6.0, but this is built in P-code (pseudo-code) and the startup object is ‘Sub Main’.

The program on memory is pure W32.Changeup with no obfuscations. The strings are not encrypted at all, except for the domain names it connect to, and it does not have any redundant string concatenations.
 

image4_1.png

Figure 4. Bare strings are copied to global variable strings Me(204) and Me(860)
 

In this example, the bare strings ‘connect’ and ‘CreateToolhelp32Snapshot’ are copied to global variables. We have not seen such a pure version of W32.Changeup for a very long time. The authors may have thought that it was no longer necessary to hide the strings because they are no longer seen in the program file. Of course, any other obfuscation techniques, such as redundant string concatenations and useless API calls, are no longer necessary on memory.

The worm functions much the same way as before, except for its polymorphism. A generation ago, the worm had strong polymorphism. It replaced three random strings, used as a dummy form name and so on, and was found in the program file with new random strings resulting in a new file with several differences. For example, the replacements affected the file wherever such strings, to construct the Visual Basic forms and modules, are located. If a virus definition covered such a changeable string, it would not be able to detect any variations derived from the sample. That is why security professionals pay more attention to polymorphic worms.

The latest version of W32.Changeup has lost its strong polymorphism features. It now only modifies icons in the resource section of the program file in order to disguises itself as a document, picture, or movie while copying itself.
 

image5_2.png

Figure 5. Icons used by W32.Changeup to disguise itself (note the poor quality)
 

Symantec detects these files as W32.Changeup!gen44.