Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- July 23, 2010
- Updated:
- July 23, 2010 10:20:32 AM
- Type:
- Worm
- Infection Length:
- 113,664 bytes
- Systems Affected:
- Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
- CVE References:
- CVE-2010-2568
W32.Changeup.C is a worm that spreads through removable and shared drives by exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732).
Malicious Link Files
Symantec Endpoint Protection (SEP) users can leverage the Application and Device Control Policy feature to block malicious LNK files using details from here.
AutoRun and W32.Changeup.C
Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it.
For more information, see the following resource:
How to prevent a virus from spreading using the "AutoRun" feature
Symantec Endpoint Protection – Application and Device Control Policy
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.
This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy.
To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.
For more information, please read "Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x"
For more information on ADC policies and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).
Note: The ADC policies above have been developed by Security Response for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.
Symantec recommends proactively carrying out a number of steps to improve security in your environment. Please see Symantec Endpoint Protection – Best Practices.
Other resources
For more information, please see the following resource:
W32.Changeup
Malicious Link Files
Symantec Endpoint Protection (SEP) users can leverage the Application and Device Control Policy feature to block malicious LNK files using details from here.
AutoRun and W32.Changeup.C
Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it.
For more information, see the following resource:
How to prevent a virus from spreading using the "AutoRun" feature
Symantec Endpoint Protection – Application and Device Control Policy
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.
This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy.
To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.
For more information, please read "Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x"
For more information on ADC policies and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).
Note: The ADC policies above have been developed by Security Response for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.
Symantec recommends proactively carrying out a number of steps to improve security in your environment. Please see Symantec Endpoint Protection – Best Practices.
Other resources
For more information, please see the following resource:
W32.Changeup
Antivirus Protection Dates
- Initial Rapid Release version July 23, 2010 revision 003
- Latest Rapid Release version February 26, 2011 revision 040
- Initial Daily Certified version July 23, 2010 revision 024
- Latest Daily Certified version February 27, 2011 revision 003
- Initial Weekly Certified release date July 28, 2010
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Easy
Damage
- Damage Level: Medium
- Payload: Downloads files on to the compromised computer.
Distribution
- Distribution Level: Medium
- Target of Infection: Copies itself to removable and shared drives and uses a remotely exploitable vulnerability.
Writeup By: Takashi Katsuki
