It has been all about W32.Stuxnet for the past two weeks due to its connection to SCADA systems as well as the use of an unpatched vulnerability to propagate. But from about a month ago, we observed a significant increase in infection numbers of W32.Changeup worldwide, especially in the Enterprise environment.
Figure 1. Distribution of W32.Changeup
Figure 2. Distribution of W32.Changeup.B
Figure 3. Distribution of W32.Changeup.C
W32.Changeup first appeared almost a year ago and has never received much of the limelight as it has no notable functionality that other threats do not possess. But as we’ll see below, that recently changed.
W32.Changeup is a polymorphic worm that copies itself to removable and mapped drives, and downloads Backdoor.Tidserv, Trojan.Sasfis, and various misleading applications in the process.
More information on Trojan.Sasfis can be found in our blogs:
Threat Brief for Trojan.Sasfis
Trojan.Sasfis: A Closer Look
Trojan.Sasfis and W32.Changeup are both written in Visual Basic. While threats written in Visual Basic generally have limitations in functionality due to the fact that higher skills are required to implement complex behavior, analysis of such threats can cause major headaches to security researchers.
The main purpose of W32.Changeup is to distribute other threats, such as Backdoor.Tidserv, and misleading applications by downloading them after the computer is compromised (it’s worth mentioning that Trojan.Sasfis has the very same purpose). W32.Changeup is fairly easy to contain but his friends (disciples?) are not. Backdoor.Tidserv opens a back door that receives remote commands, which in turn results in additional damage to the compromised computer.
W32.Changeup is usually seen in the form of .exe or .src files with random names. Initially W32.Changeup did not employ any fancy techniques to spread: it copied itself to removable and mapped drives and used the AutoRun feature in Windows to run automatically. However, recently W32.Changeup equipped itself with the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732) for propagation. Symantec detects such variants as W32.Changeup.C.
One of the most notable functions of W32.Changeup is its polymorphic capability. To infect a machine, the threat copies itself to the target machine and modifies itself. The polymorphic engine modifies its own module and form names, an image in the form, and file names in the resource section every time it is executed. Interestingly, the “image” is in fact encrypted data of the worm, not an actual image. We are currently investigating the polymorphic algorithm. W32.Changeup itself appears not to have any functionality other than propagating and downloading other threats.
W32.Changeup does not cause major damage per se but acts as a tout, inviting its friends and relatives who are nasty in nature. We ran several variants of W32.Changeup in a secure and isolated network environment and below are some of our observations.
W32.Changeup downloaded two files after infection. It was quiet for most of that day, but then the compromised computer suddenly started to show various signs of infection. There was the infamous pop-up on the bottom right hand corner of the screen warning that the system is infected with malware and advising the user to download antivirus software to remove the malware, which is a typical sign of misleading applications. We did not see any additional malware being downloaded after the misleading application was downloaded.
W32.Changeup downloaded Backdoor.Tidserv as well as Downloader.MisleadApp, which further downloaded a misleading application.
Figure 4. Nmugoa.exe is Downloader.MisleadApp and Ntd.exe is the misleading application.
In some cases, W32.Changeup can bring a catastrophic end to the compromised computer. The downloaded malware, Backdoor.Tidserv, along with some other threats consumed above 90% of CPU resources, and soon enough the system crashed and the infamous blue screen of death appeared.
Note: This does not apply to all variants of W32.Changeup. Most likely the blue screen of death was caused by a downloaded threat and not by W32.Changeup.
W32.Changeup generally contacts several URLs to download additional malware. As W32.Changeup is highly customizable, a variant can have any URL.
Some Changeup variants can start a multiple download chain and the following is one example of such a chain.
In the above image, Changeup downloads other malware from various URLs, and that downloaded malware in turn downloads more malware and/or misleading applications on to the compromised computer.
In addition to the general online security practices, blocking suspicious or unknown URLs in the network log is advised as W32.Changeup is known to download additional malware from remote sites (and not to mention downloaded threats may then download additional threats, and so on.) The AutoRun feature in Windows should be disabled to prevent the automatic launching of executable files on removable drives. Removable drives should also be disconnected when not required and read-only mode should be enabled if the option is available when write access is not required.
W32.Changeup acts as a postman delivering a variety of threats including Backdoor.Tidserv, Trojan.Sasfis, and misleading applications to as many computers as possible. W32.Changeup is highly configurable and as such can download practically anything the virus author wants downloaded. As such W32.Changeup infections can lead to a massive infection spiral. So even though W32.Changeup itself is a relatively uncomplicated threat, the consequences can be highly destructive.
A big thanks to Takayoshi Nakayama and Hiroshi Shinotsuka for their technical analysis of this threat.