1. Symantec/
  2. Security Response/
  3. W32.Changeup


Risk Level 2: Low

August 18, 2009
April 23, 2015 11:33:45 AM
Also Known As:
Win32/VBObfus.GH [NOD32], W32/VBNA-X [Sophos], WORM_VOBFUS [Trend], Win32/Vobfus.MD [Microsoft], Trj/CI.A [Panda Software], W32/Autorun.worm.aaeh [McAfee], Worm.Win32.VBNA.b [Kaspersky], Gen:Variant.Symmi.6831 [F-Secure], TrojanDownloader:Win32/Beebone.gen!A [Microsoft], Mal/Beebone-A [Sophos]
Infection Length:
128,000 bytes
Systems Affected:
CVE References:
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection method
2.1 Removable drives
2.2 Remotely exploitable vulnerability
2.3 File-sharing programs
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Additional functionality
4. Additional information

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Users are advised not to open or execute files from unknown sources. It is also advisable to disconnect removable drives when not required. If write access is not required, enable the read only mode if the option is available.

Users should disable AutoPlay to prevent automatic launching of executable files on removable drives. More information may be found by reading this article: Prevent viruses from using AutoRun to spread

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.

1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are distributed by vendors.

This threat is known to spread by exploiting certain vulnerabilities. Installation of a patch for the following vulnerability will reduce the risk of infection:
Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732)

This worm spreads through removable and mapped drives. It also spreads by exploiting the following vulnerability:
Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732)

The worm employs an innovative way of spreading through file-sharing networks. It installs a file-sharing program on the compromised computer and attempts to propagate by making copies of itself in the shared folder of the program.

The above techniques are discussed in more detail in the following sections.

2.1 Removable drives
W32.Changeup uses AutoRun to spread, which is the name given to a feature of Windows that allows an executable to run automatically when a drive is accessed. The worm copies itself and an accompanying configuration file called autorun.inf to removable drives. An autorun.inf file is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution. This means that the worm is able to spread when the removable drives are inserted into another computer that has AutoRun enabled.

This feature should be disabled so that files on removable devices do not execute when the device is inserted into the computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on systems with certain updates applied.

Removable drives should also be disconnected when not in use, and if write access is not required, users should enable the read-only mode if the option is available.

2.2 Remotely exploitable vulnerability

The worm copies several .lnk files to the compromised computer. The copied files exploit the following vulnerability in order to execute and spread the threat:
Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732)

2.3 File-sharing programs
Many threats use file-sharing programs in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders. Threats often copy themselves using names that are popular in search queries (e.g. popular pirated software, games, or cracks).

In contrast, to the above method, W32.Changeup does not scan for existing file-sharing programs but instead installs a well-known file-sharing application called Emule. When the worm is executed, this installation can be seen in the Process Explorer.

It then creates copies of itself in the Emule file-sharing folder, mimicking tens of thousands of file names common in popular user searches. The files may take up as much as a gigabyte of space on the hard drive.

Each copy is saved as a .zip file that appears to contain a legitimate setup.exe file. However, the file is actually a copy of the worm.

Each of the .zip files also contains a number of random bytes of information in order to evade static antivirus detections based on the file hash.

The primary function of this threat is to download more malware on to the compromised computer.

As W32.Changeup is highly customizable, variants can connect to any URL to download any and as much malware as it has been programmed to.

The worm may download anything from a misleading application to several additional malware components that eventually lead to the computer crashing and displaying the infamous “Blue Screen of Death”.

It has been known to download the following threats:

In some cases, the worm may initiate a multiple download chain. For example, W32.Changeup may download other malware from various URLs, and that downloaded malware may then in turn download more malware and/or misleading applications on to the compromised computer.

Note: Side effects created by associated threats are not included in this report.

3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.

Files/folders created
When the worm executes, it may copy itself to the following locations:
  • %UserProfile%\[CURRENT USER NAME].exe
  • %UserProfile%\Passwords.exe
  • %UserProfile%\Secret.exe
  • %UserProfile%\Porn.exe
  • %UserProfile%\Sexy.exe
It also searches for RAR and Zip archives, and adds itself to the archives as the following file:

The worm copies itself to all removable and mapped drives as the following file:
%DriveLetter%\[CURRENT USER NAME].exe

Next, the worm creates the following file so that it runs when the above drives are accessed:

Files/folders deleted

Files/folders modified

Registry subkeys/entries created
The worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[CURRENT USER NAME]" = "%UserProfile%\[CURRENT USER NAME].exe"

Registry subkeys/entries deleted

Registry subkeys/entries modified (final values given)

The worm modifies the following registries entry in order to hide its presence and disable automatic Windows updates on the compromised computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\"NoAutoUpdate" = "1"

3.2 Network activity
The threat may perform the following network activities.

The worm may attempt to connect to the following remote locations through either port 7005, 8003, 9002, or 9004 in order to download more malware on to the compromised computer:
  • ns1.thepicturehut.net
  • ns2.thepicturehut.net
  • ns3.thepicturehut.net
  • ns4.thepicturehut.net
  • ns1.player1253.com
  • ns1.videoall.net
  • ns1.mediashares.org
  • ns1.helpchecks.net
  • ns1.helpupdater.net
  • ns1.helpupdates.com
  • ns1.helpupdates.net
  • ns1.couchness.com
  • ns1.chopbell.net
  • ns1.chopbell.com
  • ns1.helpupdated.net
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdatek.eu
  • ns1.helpupdatek.tw
  • existing.suroot.com
  • 22231.dtdns.net
  • ns1.helpchecks.com
  • ns1.timedate[1-3].com
  • ns1.timedate[1-3].net
  • ns1.timedate[1-3].org
  • ns1.datetoday[1-3].com
  • ns1.datetoday[1-3].org
  • ns1.datetoday[1-3].net

The worm may also attempt to connect to a remote location specified in a downloaded string in the following format:

The above string instructs the worm to download the file [FILE NAME ONE] from the following location:
code[REMOVED].net through TCP port 999

It then saves the file as a file named [FILE NAME TWO]. The saved file name randomly changes every time connection is made to this host.

3.3 Additional functionality
Every time W32.Changeup infects a computer, it uses a random string as a key to decrypt some information within the code of the worm. This process allows the worm to generate a URL dynamically (as opposed to storing it). This may be done in order to obscure the address of the server from analysis.

The worm then connects to the server and downloads additional files on to the compromised computer.

Each time it creates a copy of itself the worm alters the value of certain bytes within the new file. While the file size does not change, this modification will result in the copy having a different hash value. This is done in an attempt to evade simple static antivirus detections based on file hashes.

For more information relating to this threat family, please see the following resources:
Blog entries on W32.Changeup


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Éamonn Young, Hatsuho Honda, and Henry Bell
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube