Video Screencast Help
Security Response

W32.Changeup: How the Worm Was Created

Created: 24 Aug 2012 09:13:01 GMT • Updated: 23 Jan 2014 18:12:51 GMT • Translations available: 日本語
Masaki Suenaga's picture
+1 1 Vote
Login to vote

Microsoft Visual Basic 6.0 was developed in 1998 and more than a decade later, many malware created in Visual Basic are still running rampant. One of those is W32.Changeup, a polymorphic worm that comprises 25 percent of all malware written in Visual Basic.

In order to develop a better understanding of Changeup, I set out to analyze it in great depth. To do so, I had to manually decompile it as it could not be decompiled using decompiler tools. It’s also worth noting that Visual Basic programs require special knowledge to analyze, due to their flexible source code syntax. In particular, spotting variants and arrays is the key to precise analysis.

Once I completed analysis of the worm, I wrote a white paper that details my findings. In it, I describe how the worm calls Windows APIs, which differentiates it from other worms as it is obfuscated by many redundant API calls and string concatenations.

Furthermore, while it’s common knowledge that the worm changes its executable file icon when it spreads, I explain how the worm is able to do this by showing the source code.

I also include a partial source code of the worm, show how to decompile it manually, and outline the techniques used by Changeup. Understanding decompilation techniques will also help understand some other Visual Basic malware.

The imminent release of Windows 8 won’t stop the spread of Visual Basic worms as programs written in Visual Basic 6.0 also run on Windows 8, and hence Visual Basic worms will survive in the future.

It is with great pleasure that I present my findings in a comprehensive white paper titled, W32.Changeup: How the Worm Was Created.