This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects W32.Changeup Worm activity on the infected machine.
When executed, the worm creates the following file:
%UserProfile%\[CURRENT USER NAME].exe
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[CURRENT USER NAME]" = "%UserProfile%\[CURRENT USER NAME].exe"
It then creates the following registry entry in order to hide its presence:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "1"
The worm copies itself to all removable and mapped drives as the following file:
%DriveLetter%\[CURRENT USER NAME].exe
Next, the worm creates the following file so that it runs when the above drives are accessed:
- Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000