W32.Changeup, the eMule-aided worm
File sharing platforms abuse by malicious code is a fashionable habit since years now. A malware usually just checks if the infected machine hosts a peer-to-peer software, but the W32.Changeup worm detected by Symantec (among the others) goes beyond and rather than searching for a P2P tool it installs its own “private” eMule copy to replicate itself. The malware is noteworthy for its ability to “assist” downloading and spreading of additional computer threats.
Identified almost a year ago at first, W32.Changeup is a polymorphic worm meant to spread a copy of itself on all the mapped drives and to exploit the Windows AutoRun functionality to secure automatic execution. The worm is written in Visual Basic, and contrariwise to other malware made within this programming environment – which tend to have limited functionalities – it’s provided with polymorphic abilities thanks to which every single infection is different from the other to a simple signature-based check.
Lately the W32.Changeup authors have implemented the well known shortcuts vulnerability in the Windows Shell as a new propagation vector. Nevertheless Symantec – whose security software detect the new variant as W32.Changeup.C – states that the worm’s main goal is always the same, ie to connect to remote URLs to download additional and much more dangerous computer threats including trojans, backdoors and scareware disguised as security software needed to remove non-existent infections.
The latest functionality highlighted by Symantec analysis is the one with which the worm downloads and executes a copy of the eMule file sharing software: the user doesn’t get any kind of direct visual feedback but on the background W32.Changeup loads eMule and fills the Incoming downloads folder with tens of thousands of .zip archives whose names mimic legit software, cracks or any download being popular in P2P users searches. All the many archives generated by the worm contain the infection’s main downloader disguised as “setup.exe”, with the sole difference of a couple of additional random byte at the end to better hide the malicious nature of the archive.
“W32.Changeup had initially limited its spreading capabilities – Symantec’s analyst Andrea Lelli writes – then it employed a strategy involving the Microsoft Windows Shortcut ‘LNK’ Files Automatic File Execution Vulnerability in order to successfully spread on as many computers as possible. With antivirus detecting the malicious .lnk files, and the security patches released by Microsoft to remove the vulnerability, Changeup had to move to a new strategy in order to keep the spread ratio high, and file-sharing is always a target often chosen by worm authors“.