Several security companies are warning their customers about a Windows worm that spreads rapidly via networks and USB sticks. The Visual Basic worm has been around for a few years now but a new iteration is proving to be far more aggressive than it’s predecessors.
In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild.
The worm has been dubbed ChangeUp by Symantec and is also recognised by McAfee as W32/Autorun.worm.aaeb and by Sophos who have dubbed it W32/VBNA-X.
Once the worm is active on a system it will call home to it’s command and control server to install additional malware:
Once the C&C server is contacted a command and URL is passed back to the malware instructing it to download a payload named google.exe which is placed in the users profile directory.
The instances we investigated downloaded banking Trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location.
The ChangeUp worm will also attempt to copy itself to connected USB sticks, network hard drives and shared network folders by taking advantage of Window’s Autorun feature:
It spreads by creating copies of itself in removable storage devices and mounted network shares. It will also create an “autorun.inf” to allow it to automatically execute itself when attached to another system with auto run enabled.
The main point here are, firstly, to have a good security solution in place to help deal with any threats before they ever get onto your system.
Additionally, you should have the Windows Autorun feature disabled by default these days in order to mitigate against these particular types of attack. And, lastly, always control the use of USB devices in your organisation and educate users about the risks of opening unknown files.