1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Changeup Worm Activity

System Infected: W32.Changeup Worm Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Changeup Worm activity on the infected machine.

Additional Information

When executed, the worm creates the following file:
%UserProfile%\[CURRENT USER NAME].exe

The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[CURRENT USER NAME]" = "%UserProfile%\[CURRENT USER NAME].exe"

It then creates the following registry entry in order to hide its presence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "1"

The worm copies itself to all removable and mapped drives as the following file:
%DriveLetter%\[CURRENT USER NAME].exe

Next, the worm creates the following file so that it runs when the above drives are accessed:
%DriveLetter%\autorun.inf

Affected

  • Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube