Changes Afoot for Changeup

We have been fighting the W32.Changeup family of worms for a long time and have written about it many times


Figure 1. W32.Changeup prevalence

One characteristic of W32.Changeup is that it is written in Microsoft Visual Basic 6.0 and the viral part of its program code is seen in the program file, but it may appear to be obfuscated. However, for the first time in W32.Changeup’s history we have found a new variant that does not show the viral part of its program code in the file.

The program file is built in native code (Intel X86 code) and the startup object is set to ‘Form605’.


Figure 2. Program file’s startup code seen in X86 instructions

Once the code is run, the memory where the program once ran will be completely rewritten.


Figure 3. Startup code in program on memory

The replaced program is also built with Visual Basic 6.0, but this is built in P-code (pseudo-code) and the startup object is ‘Sub Main’.

The program on memory is pure W32.Changeup with no obfuscations. The strings are not encrypted at all, except for the domain names it connect to, and it does not have any redundant string concatenations.


Figure 4. Bare strings are copied to global variable strings Me(204) and Me(860)

In this example, the bare strings ‘connect’ and ‘CreateToolhelp32Snapshot’ are copied to global variables. We have not seen such a pure version of W32.Changeup for a very long time. The authors may have thought that it was no longer necessary to hide the strings because they are no longer seen in the program file. Of course, any other obfuscation techniques, such as redundant string concatenations and useless API calls, are no longer necessary on memory.

The worm functions much the same way as before, except for its polymorphism. A generation ago, the worm had strong polymorphism. It replaced three random strings, used as a dummy form name and so on, and was found in the program file with new random strings resulting in a new file with several differences. For example, the replacements affected the file wherever such strings, to construct the Visual Basic forms and modules, are located. If a virus definition covered such a changeable string, it would not be able to detect any variations derived from the sample. That is why security professionals pay more attention to polymorphic worms.

The latest version of W32.Changeup has lost its strong polymorphism features. It now only modifies icons in the resource section of the program file in order to disguises itself as a document, picture, or movie while copying itself.


Figure 5. Icons used by W32.Changeup to disguise itself (note the poor quality)

Symantec detects these files as W32.Changeup!gen44.