W32.Changeup Installing and Running eMule
We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).
W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.
Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability, spread through removable or network drives, or why not, being accidentally downloaded from a P2P application! (You can find more information about W32.Changeup characteristics in this previous blog entry.) Usually the first executable being dropped on the machine is quite small in size, it will connect back to Changeup C&C servers and will download an additional payload, especially threats from the families Backdoor.Tidserv, Downloader.Harnig, Trojan.FakeAV, and others.
After the payload is dropped, there is no visible window or sign of the threat running, but we can have a look at the process list to see what’s going on:
Image 1: The payload has installed and run Emule silently.
The threat has silently installed and launched Emule. A quick look at the folder containing the files being shared reveals immediately what the threat is trying to do:
Image 2: W32.Changeup is sharing itself using 45,079 different file names (and wasting almost one gigabyte of hard drive space!)
W32.Changeup created a zip archive, containing its main downloader component, and copies this ZIP archive over 45,000 times using file names that mimic legitimate software, cracks, or anything that might be popular in search queries. The ZIP archive contains an executable that pretends to look like a normal setup:
Image 3: The shared archive mimics a normal software package containing an installer.
The setup.exe file is a W32.Changeup downloader, and it is always the same executable in all the zip archives.
If the shared ZIP archive was the same file (in terms of its hash) repeated 45,000 times, all the different .zip file names could be returned in results from Emule’s file information search feature. This would be an obvious indication that the file is rogue. To avoid this, W32.Changeup adds a couple of random bytes to the bottom of each copy of the ZIP archive. If all copies have different junk bytes, each file will have a unique file hash (and a unique file name associated with it in the Emule searches). This also helps the threat to evade static antivirus detections based on file hash.
W32.Changeup had initially limited its spreading capabilities, then it employed a strategy involving the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability in order to successfully spread on as many computers as possible. With antivirus detecting the malicious .lnk files, and the security patches released by Microsoft to remove the vulnerability, Changeup had to move to a new strategy in order to keep the spread ratio high, and file-sharing is always a target often chosen by worm authors.
Once again, have all your software updated, and be careful when downloading anything from file-sharing networks.