W32.Changeup

Printer Friendly Page

Discovered: August 18, 2009
Updated: April 23, 2015 11:33:45 AM
Also Known As: Win32/VBObfus.GH [NOD32], W32/VBNA-X [Sophos], WORM_VOBFUS [Trend], Win32/Vobfus.MD [Microsoft], Trj/CI.A [Panda Software], W32/Autorun.worm.aaeh [McAfee], Worm.Win32.VBNA.b [Kaspersky], Gen:Variant.Symmi.6831 [F-Secure], TrojanDownloader:Win32/Beebone.gen!A [Microsoft], Mal/Beebone-A [Sophos]
Type: Worm
Infection Length: 128,000 bytes
Systems Affected: Windows
CVE References: CVE-2010-2568

W32.Changeup is a worm that spreads through removable and mapped drives. It may also spread by exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732). The worm may also spread through certain file-sharing programs.

The worm downloads more threats and misleading applications on to the compromised computer.

Infection
This worm spreads through removable and mapped drives. It also uses the AutoRun feature of Windows to run automatically.

The worm creates several .lnk files on the compromised computer and then exploits the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732) in order to spread.

Furthermore, the worm installs a file-sharing program on the compromised computer and attempts to propagate by copying itself into the shared folder using a number of file names that have been selected to appear enticing to file sharers.


Functionality
The primary function of this threat is to download more malware on to the compromised computer. It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware .


Polymorphism
The worm employs an element of polymorphism by dynamically generating URLs from which it attempts to download files. Furthermore, while the worm creates a number of copies of itself on the compromised computer, each copy has several uniquely modified bytes in an attempt to evade simple static antivirus detections based on file hashes.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.







PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.





SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures


Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.


Intrusion Prevention System


AutoRun and W32.Changeup
Symantec strongly recommends that customers take specific steps to control the execution of applications referenced in autorun.inf files that may be located on removable and network drives. Threats such as this one frequently attempt to spread to other computers using these avenues. Configuration changes made to a computer can limit the possibility of new threats compromising it.

For more information, see the following resource:
Prevent viruses from using AutoRun to spread


Symantec Endpoint Protection – Application and Device Control Policy
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.

This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy .

To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.

For more information, please read Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

For more information on ADC policies and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).

Note: The ADC policies above have been developed by Security Response for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.

Symantec recommends proactively carrying out a number of steps to improve security in your environment. Please see Symantec Endpoint Protection – Best Practices .

Antivirus Protection Dates

  • Initial Rapid Release version August 17, 2009 revision 052
  • Latest Rapid Release version July 15, 2018 revision 016
  • Initial Daily Certified version August 17, 2009 revision 054
  • Latest Daily Certified version July 14, 2018 revision 004
  • Initial Weekly Certified release date August 19, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Éamonn Young, Hatsuho Honda, and Henry Bell

Discovered: August 18, 2009
Updated: April 23, 2015 11:33:45 AM
Also Known As: Win32/VBObfus.GH [NOD32], W32/VBNA-X [Sophos], WORM_VOBFUS [Trend], Win32/Vobfus.MD [Microsoft], Trj/CI.A [Panda Software], W32/Autorun.worm.aaeh [McAfee], Worm.Win32.VBNA.b [Kaspersky], Gen:Variant.Symmi.6831 [F-Secure], TrojanDownloader:Win32/Beebone.gen!A [Microsoft], Mal/Beebone-A [Sophos]
Type: Worm
Infection Length: 128,000 bytes
Systems Affected: Windows
CVE References: CVE-2010-2568

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection method
2.1 Removable drives
2.2 Remotely exploitable vulnerability
2.3 File-sharing programs
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Additional functionality
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disconnect removable drives when not required. If write access is not required, enable the read only mode if the option is available.

Users should disable AutoPlay to prevent automatic launching of executable files on removable drives. More information may be found by reading this article: Prevent viruses from using AutoRun to spread

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to spread by exploiting certain vulnerabilities. Installation of a patch for the following vulnerability will reduce the risk of infection:
Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732)


2. INFECTION METHOD
This worm spreads through removable and mapped drives. It also spreads by exploiting the following vulnerability:
Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732)

The worm employs an innovative way of spreading through file-sharing networks. It installs a file-sharing program on the compromised computer and attempts to propagate by making copies of itself in the shared folder of the program.

The above techniques are discussed in more detail in the following sections.


2.1 Removable drives
W32.Changeup uses AutoRun to spread, which is the name given to a feature of Windows that allows an executable to run automatically when a drive is accessed. The worm copies itself and an accompanying configuration file called autorun.inf to removable drives. An autorun.inf file is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution. This means that the worm is able to spread when the removable drives are inserted into another computer that has AutoRun enabled.

This feature should be disabled so that files on removable devices do not execute when the device is inserted into the computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.

Removable drives should also be disconnected when not in use, and if write access is not required, users should enable the read-only mode if the option is available.


2.2 Remotely exploitable vulnerability

The worm copies several .lnk files to the compromised computer. The copied files exploit the following vulnerability in order to execute and spread the threat:
Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732)


2.3 File-sharing programs
Many threats use file-sharing programs in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders. Threats often copy themselves using names that are popular in search queries (e.g. popular pirated software, games, or cracks).

In contrast, to the above method, W32.Changeup does not scan for existing file-sharing programs but instead installs a well-known file-sharing application called Emule. When the worm is executed, this installation can be seen in the Process Explorer.





It then creates copies of itself in the Emule file-sharing folder, mimicking tens of thousands of file names common in popular user searches. The files may take up as much as a gigabyte of space on the hard drive.





Each copy is saved as a .zip file that appears to contain a legitimate setup.exe file. However, the file is actually a copy of the worm.





Each of the .zip files also contains a number of random bytes of information in order to evade static antivirus detections based on the file hash.



3. FUNCTIONALITY
The primary function of this threat is to download more malware on to the compromised computer.

As W32.Changeup is highly customizable, variants can connect to any URL to download any and as much malware as it has been programmed to.

The worm may download anything from a misleading application to several additional malware components that eventually lead to the computer crashing and displaying the infamous “Blue Screen of Death”.

It has been known to download the following threats:



In some cases, the worm may initiate a multiple download chain. For example, W32.Changeup may download other malware from various URLs, and that downloaded malware may then in turn download more malware and/or misleading applications on to the compromised computer.





Note: Side effects created by associated threats are not included in this report.


3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.


Files/folders created
When the worm executes, it may copy itself to the following locations:
  • %UserProfile%\[CURRENT USER NAME].exe
  • %UserProfile%\Passwords.exe
  • %UserProfile%\Secret.exe
  • %UserProfile%\Porn.exe
  • %UserProfile%\Sexy.exe
It also searches for RAR and Zip archives, and adds itself to the archives as the following file:
Secret.exe

The worm copies itself to all removable and mapped drives as the following file:
%DriveLetter%\[CURRENT USER NAME].exe

Next, the worm creates the following file so that it runs when the above drives are accessed:
%DriveLetter%\autorun.inf


Files/folders deleted
None


Files/folders modified
None


Registry subkeys/entries created
The worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[CURRENT USER NAME]" = "%UserProfile%\[CURRENT USER NAME].exe"


Registry subkeys/entries deleted
None


Registry subkeys/entries modified (final values given)

The worm modifies the following registries entry in order to hide its presence and disable automatic Windows updates on the compromised computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"NoAutoUpdate" = "1"


3.2 Network activity
The threat may perform the following network activities.


Downloading
The worm may attempt to connect to the following remote locations through either port 7005, 8003, 9002, or 9004 in order to download more malware on to the compromised computer:
  • ns1.thepicturehut.net
  • ns2.thepicturehut.net
  • ns3.thepicturehut.net
  • ns4.thepicturehut.net
  • ns1.player1253.com
  • ns1.videoall.net
  • ns1.mediashares.org
  • ns1.helpchecks.net
  • ns1.helpupdater.net
  • ns1.helpupdates.com
  • ns1.helpupdates.net
  • ns1.couchness.com
  • ns1.chopbell.net
  • ns1.chopbell.com
  • ns1.helpupdated.net
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdatek.eu
  • ns1.helpupdatek.tw
  • existing.suroot.com
  • 22231.dtdns.net
  • ns1.helpchecks.com
  • ns1.timedate[1-3].com
  • ns1.timedate[1-3].net
  • ns1.timedate[1-3].org
  • ns1.datetoday[1-3].com
  • ns1.datetoday[1-3].org
  • ns1.datetoday[1-3].net

The worm may also attempt to connect to a remote location specified in a downloaded string in the following format:
http://code[REMOVED]:999/[FILE NAME ONE] [FILE NAME TWO]

The above string instructs the worm to download the file [FILE NAME ONE] from the following location:
code[REMOVED].net through TCP port 999

It then saves the file as a file named [FILE NAME TWO]. The saved file name randomly changes every time connection is made to this host.


3.3 Additional functionality
Every time W32.Changeup infects a computer, it uses a random string as a key to decrypt some information within the code of the worm. This process allows the worm to generate a URL dynamically (as opposed to storing it). This may be done in order to obscure the address of the server from analysis.





The worm then connects to the server and downloads additional files on to the compromised computer.

Each time it creates a copy of itself the worm alters the value of certain bytes within the new file. While the file size does not change, this modification will result in the copy having a different hash value. This is done in an attempt to evade simple static antivirus detections based on file hashes.



4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:
Blog entries on W32.Changeup

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Éamonn Young, Hatsuho Honda, and Henry Bell

Discovered: August 18, 2009
Updated: April 23, 2015 11:33:45 AM
Also Known As: Win32/VBObfus.GH [NOD32], W32/VBNA-X [Sophos], WORM_VOBFUS [Trend], Win32/Vobfus.MD [Microsoft], Trj/CI.A [Panda Software], W32/Autorun.worm.aaeh [McAfee], Worm.Win32.VBNA.b [Kaspersky], Gen:Variant.Symmi.6831 [F-Secure], TrojanDownloader:Win32/Beebone.gen!A [Microsoft], Mal/Beebone-A [Sophos]
Type: Worm
Infection Length: 128,000 bytes
Systems Affected: Windows
CVE References: CVE-2010-2568

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.


Removal Tool


If you have an infected Windows system file, you may need to replace it using the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.


Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace it using the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.


1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Éamonn Young, Hatsuho Honda, and Henry Bell