W32.Changeup is a type of polymorphic worm written in Visual Basic (VB) and as we stated in the previous W32.Changeup blog, our analysis is focusing on the polymorphic behavior that the threat employs. There are many polymorphic worms but polymorphic worms written in VB are very rare. Analysis of malware written in Visual Basic can be tricky but I have spent some time analyzing this threat and in this blog I'll take a closer look at the polymorphic aspects of this worm. When the worm executes, it accesses the LinkTopic property in its own form. The strings for the form and module names that Changeup uses are recorded in the LinkTopic property. Every time it infects a computer, the strings are randomly modified. Once loaded it searches for the string marked with an “x” added by the LinkTopic property. It then places 2,525 bytes of encrypted data at the position where it found the address. The following is the binary image. The highlighted area is the string configured in the LinkTopic property. There should be a picture in this section but instead there is RC4 encrypted data that the worm uses. This picture is configured as invisible in the form and is not used as a picture. The worm then decrypts this section, which is also where the Windows API function names that the worm calls is stored. Until this section is decrypted the worm only uses a limited number of Windows APIs. One thing that is very interesting is that letters are hashed together from the strings in this section and the URL that the worm contacts is dynamically created. We believe that this is in order to hide the host server. The figure below shows the code that is used. After the picture section is decrypted, the malicious code embedded in this worm performs the following actions: