W32.Changeup – A Malicious Gift That Keeps On Giving

In mid-2009 W32.Changeup, a polymorphic worm written in Visual Basic, was first discovered on systems around the world. Over the last few years, we have profiled this threat, explained why it spreads, and shown how it was created.

In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild:
 

Figure. Detections of updated version of W32.Changeup in last seven days
 

W32.Changeup comes bearing gifts. When a system is compromised, W32.Changeup may install additional malware. The threats can vary from Backdoor.Tidserv to Trojan.FakeAV as well as Backdoor.Trojan and Downloader Trojan. And the Downloader Trojan will download even more malware onto the compromised computer.

The worm copies itself to removable and mapped drives by taking advantage of the AutoRun feature in Windows. The latest version of the worm also copies itself to the following locations:

  • %UserProfile%\Passwords.exe
  • %UserProfile%\Secret.exe
  • %UserProfile%\Porn.exe
  • %UserProfile%\Sexy.exe

Security Response strongly recommends steps be taken to prevent worms from leveraging this feature. We have the following protections in place for the latest version of W32.Changeup:

Antivirus

Intrusion Prevention System

System Infected: W32.Changeup Worm Activity

We also have identified the servers the latest version of the worm attempts to contact after compromising a computer:

Servers

  • ns1.helpupdater.net
  • ns1.helpchecks.net
  • ns1.helpupdates.com
  • ns1.helpupdates.net
  • ns1.couchness.com
  • ns1.chopbell.net
  • ns1.chopbell.com
  • ns1.helpupdated.net
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdatek.eu
  • ns1.helpupdatek.tw
  • existing.suroot.com
  • 22231.dtdns.net

Security Response will continue to monitor W32.Changeup and provide protections against variations and accompanying malware.