W32.Changeup is a type of polymorphic worm written in Visual Basic (VB) and as we stated in the previous W32.Changeup blog, our analysis is focusing on the polymorphic behavior that the threat employs. There are many polymorphic worms but polymorphic worms written in VB are very rare. Analysis of malware written in Visual Basic can be tricky but I have spent some time analyzing this threat and in this blog I'll take a closer look at the polymorphic aspects of this worm.
When the worm executes, it accesses the LinkTopic property in its own form. The strings for the form and module names that Changeup uses are recorded in the LinkTopic property. Every time it infects a computer, the strings are randomly modified.
Once loaded it searches for the string marked with an “x” added by the LinkTopic property. It then places 2,525 bytes of encrypted data at the position where it found the address. The following is the binary image. The highlighted area is the string configured in the LinkTopic property.
There should be a picture in this section but instead there is RC4 encrypted data that the worm uses. This picture is configured as invisible in the form and is not used as a picture.
The worm then decrypts this section, which is also where the Windows API function names that the worm calls is stored. Until this section is decrypted the worm only uses a limited number of Windows APIs.
One thing that is very interesting is that letters are hashed together from the strings in this section and the URL that the worm contacts is dynamically created. We believe that this is in order to hide the host server. The figure below shows the code that is used.
After the picture section is decrypted, the malicious code embedded in this worm performs the following actions:
- Copies itself to the system.
- Creates registry entries to automatically start itself.
- Copies itself to removal drives and network shares.
- Downloads and executes files from the host mentioned above.
Furthermore, Changeup changes every time it copies itself. While the file size doesn’t change, the file hash value, such as MD5, changes. It also performs the following actions:
- Loads itself into memory.
- Generates a random, eight letter file name to configure in the LinkTopic property.
- Replaces the LinkTopic property in memory. It also replaces the module and form names.
- It also replaces the product version, file version, and internal name in the resource section.
- The picture section is re-encrypted with a new key.
The LinkTopic property strings are used for the key to decrypt the RC4 encryption so when the strings change, the picture section needs to be re-encrypted. At every infection a different key is used for encryption so the binary data in this section changes every time.
Of course the most noteworthy feature of Changeup is that it is written in Visual Basic. Most malware written in VB are Trojan horses; there are some other polymorphic worms written in VB but there is a possibility that the fact that they are polymorphic gets lost in the details. But with Changeup demonstrating to us security researchers that a polymorphic worm can be written in Visual Basic we’ll have to be on the lookout for future worms written in VB.