W32.Changeup – A Worm By Any Other Name

Whether a Montague or a Capulet, it never mattered to Juliet, as she made the case in Shakespeare's “Romeo and Juliet” when she says one of her most famous lines, “What’s in a name? That which we call a rose by any other nam…

Whether a Montague or a Capulet, it never mattered to Juliet, as she made the case in Shakespeare's “Romeo and Juliet” when she says one of her most famous lines, “What’s in a name? That which we call a rose by any other name would smell as sweet.”

Earlier this week, we wrote about the increase in detections of a threat named W32.Changeup. Other vendors have written about it as well. However, each security vendor’s naming conventions are different. For Symantec, we named the threat W32.Changeup when we first discovered it.

Sampling of vendor detection names for W32.Changeup:

  • Microsoft: Worm:Win32/Vobfus.MD
  • McAfee: W32/Autorun.worm.aaeh
  • Trend Micro: WORM_VOBFUS
  • Sophos: W32/VBNA-X
  • Kaspersky: Worm.Win32.VBNA.b
  • ESET-NOD32: Win32/VBObfus.GH

While our naming conventions may be different, a worm by any other name is still a worm. And this worm in particular has not let up. Our recent data indicates W32.Changeup continues to have an impact.

Over a six day span, Security Response has observed a large increase in the number of detections for W32.Changeup.

We continue to update and add detections for this threat as we encounter new variants. Customers are advised to make sure their virus and intrusion prevention definitions are up to date.

Antivirus

Intrusion Prevention System

Since this worm spreads by leveraging the AutoRun feature in Windows, we also recommend that customers take proactive measures to prevent this feature from being abused.

USB Autorun malware on the wane

The prevalence of Autorun malware appears to have dropped significantly, following Microsoft pushing out an update to change the behaviour of the Windows technology. Read more…

Woman holding USB stickHere’s some good news in the ongoing fight against Windows-based malware – it appears that there has been a significant drop in the number of computers being infected by malware which exploits the Windows Autorun feature.

Autorun is the technology which makes a program start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the tell-tale Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

Autorun may sound like it’s great for functionality, but a large amount of malware (the most notorious example would probably be the Conficker worm) has exploited the technology to infect computers via USB sticks in the past.

Earlier this year, Microsoft rolled out an update, effectively preventing Autorun malware from automatically infecting PCs without the user’s permission.

And the good news is that it appears to have worked.

Microsoft chart of Autorun infections

According to research done by Microsoft, by May 2011 the number of infections found on scanned computers had reduced by 59% on XP and by 74% on Vista in comparison to the 2010.

Of course, disabling Autorun doesn’t mean the 100% eradication of all Autorun malware – as some examples use a variety of alternative techniques to spread beyond using the Autorun functionality.

Well done to Microsoft for removing most of the weeds from that particular corner of the malware garden.