W32.Changeup – A Malicious Gift That Keeps On Giving

In mid-2009 W32.Changeup, a polymorphic worm written in Visual Basic, was first discovered on systems around the world. Over the last few years, we have profiled this threat, explained why it spreads, and shown how it was created.

In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild:

Figure. Detections of updated version of W32.Changeup in last seven days

W32.Changeup comes bearing gifts. When a system is compromised, W32.Changeup may install additional malware. The threats can vary from Backdoor.Tidserv to Trojan.FakeAV as well as Backdoor.Trojan and Downloader Trojan. And the Downloader Trojan will download even more malware onto the compromised computer.

The worm copies itself to removable and mapped drives by taking advantage of the AutoRun feature in Windows. The latest version of the worm also copies itself to the following locations:

  • %UserProfile%\Passwords.exe
  • %UserProfile%\Secret.exe
  • %UserProfile%\Porn.exe
  • %UserProfile%\Sexy.exe

Security Response strongly recommends steps be taken to prevent worms from leveraging this feature. We have the following protections in place for the latest version of W32.Changeup:


Intrusion Prevention System

System Infected: W32.Changeup Worm Activity

We also have identified the servers the latest version of the worm attempts to contact after compromising a computer:


  • ns1.helpupdater.net
  • ns1.helpchecks.net
  • ns1.helpupdates.com
  • ns1.helpupdates.net
  • ns1.couchness.com
  • ns1.chopbell.net
  • ns1.chopbell.com
  • ns1.helpupdated.net
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdatek.eu
  • ns1.helpupdatek.tw
  • existing.suroot.com
  • 22231.dtdns.net

Security Response will continue to monitor W32.Changeup and provide protections against variations and accompanying malware.

Malicious code added to open-source Piwik following website compromise

Enlarge / Decoded code included in a compromised version of Piwik. It was available on Piwik.org for about eight hours on Monday.

Hackers inserted malicious code into the open-source Piwik analytics software after compromising the Web server used for downloads.

Piwik boasts more than 1.2 million downloads and the program's maintainers are warning those who installed Piwik 1.9.2 during an eight-hour window on Monday that their Web servers may be running malicious code. The backdoor, which was included in versions downloaded from 15:45 UTC to 23:59 UTC, causes servers to send data to prostoivse.com, according to people participating in this Piwik user forum. The IP address connecting that domain name to the Internet has reportedly been used by online scammers in the past.

The attackers compromised Piwik.org by exploiting a security vulnerability in an undisclosed plugin for WordPress, another popular open-source program. The Piwik advisory said maintainers aren't aware of any "exploitable security issues" in the program itself. Piwik is used to deliver detailed analytics that track in real time the traffic hitting a website.

Read 5 remaining paragraphs | Comments

Google Releases Google Chrome 23.0.1271.91

Google has released Google Chrome 23.0.1271.91 for Windows, Mac, Linux, and ChromeFrame to address multiple vulnerabilities. These vulnerabilities could result in a denial of service or allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 23.0.1271.91.

This product is provided subject to this Notification and this Privacy & Use policy.