Spam Contributing to Increase of W32.Changeup Infections

PC TrojanFraudulent spam messages purporting to be from financial institutions are one of the driving forces behind the recent uptick in W32.Changeup infections, report Symantec researchers.

In the spam message, users are instructed to download and open a file, securedoc.html.zip that’s attached to the email as it allegedly contains a secure message from their bank. In reality, that file contains a malicious executable file (.exe) that Symantec identifies as Downloader.Ponik.

Here is an example message that users should look out for:

Spam Spreading W32.Changeup WormScreenshot Credit: Symantec

Subject: You have received a secure message

You have received a secure message

Read you secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly. For questions about e-mail encryption service, please contact technical support at 888.764.[REMOVED].

First time users – will need to register after opening the attachment.
Help – https://[REMOVED]/websafe/help?topic=RegEnvelope
About [REMOVED] Encryption – https://[REMOVED]/websafe/about

Should a user make the mistake of downloading and executing the file, they will be opening their system to a variety of malware infections. Downloader.Ponik kicks things off by connecting to a remote host to download the Gameover variant of the infamous ZeuS Trojan. Gameover download & installs W32.Changeup, Changeup then downloads additional threats, and so forth.

In addition to downloading malware, W32.Changeup is known for its ability to spread via removable and mapped drives by taking advantage of the Windows AutoRun feature. See Symantec’s write-up of W32.Changeup for more information.

Keeping Your PC Safe

Here are some tips to keep your computer safe from the Changeup worm:

  • Do not download or install files attached to unsolicited emails. This is one of the most common infection methods used, and most companies do not send emails with file attachments.
  • Always run antivirus software and keep the virus definitions current.
  • Keep your operating system and installed third-party software fully patched and up-to-date.
  • Scan removable drives before transferring or opening any files stored on them.
  • Disable the AutoRun feature on your PC. (Instructions)

Is Your Computer Infected?

If you suspect that W32.Changeup has already made its way onto your system, you can run a full system scan using an antivirus solution capable of detecting the threat. The Changeup worm has been around for a few years now, so you have plenty of vendors to choose from:

  • ESET [detected as Win32/VBObfus.GH]
  • F-Secure [detected as Gen:Variant.Symmi.6831]
  • Kaspersky[detected as Worm.Win32.VBNA.b]
  • McAfee [detected as W32/Autorun.worm.aaeh]
  • Microsoft [detected as Win32/Vobfus.MD]
  • Panda [detected as Trj/CI.A ]
  • Sophos [detected as W32/VBNA-X]
  • TrendMicro [detected as WORM_VOBFUS]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

This entry was posted in Computer Security, malware, phishing, spam and tagged , , , , , , , .
Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5