ChangeUp family employing new ways to spread
W32.Changeup is a family of polymorphic computer worm which is written Visual Basic programming language. Recently, a software bug in Windows shell called Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability was disclosed by good guys at VirusBlockAda security firm after the world hit by the wave of W32.Stuxnet (aka TempHider rootkit) and after few days bad "copycat" guys took advantage by implementing the exploit for the bug in their malicious creations, Changeup is one of the best example of how quick malware authors are in employing techniques.The latest W32.Changeup.C uses this hole to automatically execute itself and infect whenever a infected thumb drive is loaded to a PC and Windows Explorer views its malicious ".lnk" file,therefore no user action is required to infect a computer rather than insertion of thumb drive.Now, lets talk about the main purpose of W32.Changeup, guess ???, it acts like a component for downloading other viruses from its Command & Control (C&C) servers, previously it has downloaded Backdoor.Tidserv, Trojan.FakeAV and etc. therefore it acts in Pay Per Install (PPI) service. As of now many AV vendors have updated their definitions therefore these malicious ".lnk" files are getting blocked, as a conclusion of this, their makers gave the W32.Changeup bot instruction to download a popular file-sharing application "eMule" and then spread via its sharing feature.Now the threat family is spreading in high volume by eMule's network using different filenames of popular software, games and their cracks.
W32.Changeup also uses a technique to evade blacklisting in eMule network and prevent itself from static file cleaners by adding random junk bytes to the end of itself, therefore the file hash changes each time and then it creates a zip version of itself in the sharing folder of eMule, in which approximately overloading 1 gigabyte of hard disk space. You can download the patch for the above mentioned bug via Windows Update or Microsoft Download Center and keep your security product up to date for protection against complex threats like Changeup.











