In mid-2009 W32.Changeup, a polymorphic worm written in Visual Basic, was first discovered on systems around the world. Over the last few years, we have profiled this threat, explained why it spreads, and shown how it was created.
In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild:
Figure. Detections of updated version of W32.Changeup in last seven days
W32.Changeup comes bearing gifts. When a system is compromised, W32.Changeup may install additional malware. The threats can vary from Backdoor.Tidserv to Trojan.FakeAV as well as Backdoor.Trojan and Downloader Trojan. And the Downloader Trojan will download even more malware onto the compromised computer.
The worm copies itself to removable and mapped drives by taking advantage of the AutoRun feature in Windows. The latest version of the worm also copies itself to the following locations:
- %UserProfile%\Passwords.exe
- %UserProfile%\Secret.exe
- %UserProfile%\Porn.exe
- %UserProfile%\Sexy.exe
Security Response strongly recommends steps be taken to prevent worms from leveraging this feature. We have the following protections in place for the latest version of W32.Changeup:
Antivirus
Intrusion Prevention System
System Infected: W32.Changeup Worm Activity
We also have identified the servers the latest version of the worm attempts to contact after compromising a computer:
Servers
- ns1.helpupdater.net
- ns1.helpchecks.net
- ns1.helpupdates.com
- ns1.helpupdates.net
- ns1.couchness.com
- ns1.chopbell.net
- ns1.chopbell.com
- ns1.helpupdated.net
- ns1.helpupdated.org
- ns1.helpupdatek.at
- ns1.helpupdatek.eu
- ns1.helpupdatek.tw
- existing.suroot.com
- 22231.dtdns.net
Security Response will continue to monitor W32.Changeup and provide protections against variations and accompanying malware.