W32.Changeup – A Worm By Any Other Name

Whether a Montague or a Capulet, it never mattered to Juliet, as she made the case in Shakespeare's “Romeo and Juliet” when she says one of her most famous lines, “What’s in a name? That which we call a rose by any other name would smell as sweet.”

Earlier this week, we wrote about the increase in detections of a threat named W32.Changeup. Other vendors have written about it as well. However, each security vendor’s naming conventions are different. For Symantec, we named the threat W32.Changeup when we first discovered it.

Sampling of vendor detection names for W32.Changeup:

  • Microsoft: Worm:Win32/Vobfus.MD
  • McAfee: W32/Autorun.worm.aaeh
  • Trend Micro: WORM_VOBFUS
  • Sophos: W32/VBNA-X
  • Kaspersky: Worm.Win32.VBNA.b
  • ESET-NOD32: Win32/VBObfus.GH

While our naming conventions may be different, a worm by any other name is still a worm. And this worm in particular has not let up. Our recent data indicates W32.Changeup continues to have an impact.

Over a six day span, Security Response has observed a large increase in the number of detections for W32.Changeup.

We continue to update and add detections for this threat as we encounter new variants. Customers are advised to make sure their virus and intrusion prevention definitions are up to date.

Antivirus

Intrusion Prevention System

Since this worm spreads by leveraging the AutoRun feature in Windows, we also recommend that customers take proactive measures to prevent this feature from being abused.