1. /
  2. Security Response/
  3. W32.Changeup

W32.Changeup

Risk Level 2: Low

Discovered:
August 18, 2009
Updated:
August 29, 2013 11:52:59 AM
Also Known As:
Gen:Variant.Symmi.6831 [F-Secure], Worm.Win32.VBNA.b [Kaspersky], W32/Autorun.worm.aaeh [McAfee], Trj/CI.A [Panda Software], Win32/Vobfus.MD [Microsoft], WORM_VOBFUS [Trend], W32/VBNA-X [Sophos], Win32/VBObfus.GH [NOD32]
Type:
Worm
Infection Length:
128,000 bytes
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2010-2568
W32.Changeup is a worm that spreads through removable and mapped drives. It may also spread by exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732). The worm may also spread through certain file-sharing programs.

The worm downloads more threats and misleading applications on to the compromised computer.

Infection
This worm spreads through removable and mapped drives. It also uses the AutoRun feature of Windows to run automatically.

The worm creates several .lnk files on the compromised computer and then exploits the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732) in order to spread.

Furthermore, the worm installs a file-sharing program on the compromised computer and attempts to propagate by copying itself into the shared folder using a number of file names that have been selected to appear enticing to file sharers.


Functionality
The primary function of this threat is to download more malware on to the compromised computer. It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware.


Polymorphism
The worm employs an element of polymorphism by dynamically generating URLs from which it attempts to download files. Furthermore, while the worm creates a number of copies of itself on the compromised computer, each copy has several uniquely modified bytes in an attempt to evade simple static antivirus detections based on file hashes.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.







PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.





SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System
HTTP W32 ChangeUp Worm Activity
System Infected: W32.Changeup Worm Activity
System Infected: W32.Changeup Worm Activity 2
System Infected: W32.Changeup Worm Activity 3


AutoRun and W32.Changeup
Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it.

For more information, see the following resource:
How to prevent a virus from spreading using the "AutoRun" feature


Symantec Endpoint Protection – Application and Device Control Policy
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.

This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy.

To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.

For more information, please read "Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x"

For more information on ADC policies and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).

Note: The ADC policies above have been developed by Security Response for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.

Symantec recommends proactively carrying out a number of steps to improve security in your environment. Please see Symantec Endpoint Protection – Best Practices.

Antivirus Protection Dates

  • Initial Rapid Release version August 17, 2009 revision 052
  • Latest Rapid Release version April 23, 2014 revision 006
  • Initial Daily Certified version August 17, 2009 revision 054
  • Latest Daily Certified version April 23, 2014 revision 016
  • Initial Weekly Certified release date August 19, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 50 - 999
  • Number of Sites: 3 - 9
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Downloads more threats on to the compromised computer.

Distribution

  • Distribution Level: Medium
  • Shared Drives: Spreads through removable and mapped drives.
  • Target of Infection: Remotely exploitable vulnerability.
    File-sharing programs.
Writeup By: Éamonn Young, Hatsuho Honda, and Henry Bell

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver