Fraudulent spam messages purporting to be from financial institutions are one of the driving forces behind the recent uptick in W32.Changeup infections, report Symantec researchers.
In the spam message, users are instructed to download and open a file, securedoc.html.zip that’s attached to the email as it allegedly contains a secure message from their bank. In reality, that file contains a malicious executable file (.exe) that Symantec identifies as Downloader.Ponik.
Here is an example message that users should look out for:
Subject: You have received a secure message
You have received a secure message
Read you secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions about e-mail encryption service, please contact technical support at 888.764.[REMOVED].
First time users – will need to register after opening the attachment.
Help – https://[REMOVED]/websafe/help?topic=RegEnvelope
About [REMOVED] Encryption – https://[REMOVED]/websafe/about
Should a user make the mistake of downloading and executing the file, they will be opening their system to a variety of malware infections. Downloader.Ponik kicks things off by connecting to a remote host to download the Gameover variant of the infamous ZeuS Trojan. Gameover download & installs W32.Changeup, Changeup then downloads additional threats, and so forth.
In addition to downloading malware, W32.Changeup is known for its ability to spread via removable and mapped drives by taking advantage of the Windows AutoRun feature. See Symantec’s write-up of W32.Changeup for more information.
Keeping Your PC Safe
Here are some tips to keep your computer safe from the Changeup worm:
- Do not download or install files attached to unsolicited emails. This is one of the most common infection methods used, and most companies do not send emails with file attachments.
- Always run antivirus software and keep the virus definitions current.
- Keep your operating system and installed third-party software fully patched and up-to-date.
- Scan removable drives before transferring or opening any files stored on them.
- Disable the AutoRun feature on your PC. (Instructions)
Is Your Computer Infected?
If you suspect that W32.Changeup has already made its way onto your system, you can run a full system scan using an antivirus solution capable of detecting the threat. The Changeup worm has been around for a few years now, so you have plenty of vendors to choose from:
- ESET [detected as Win32/VBObfus.GH]
- F-Secure [detected as Gen:Variant.Symmi.6831]
- Kaspersky[detected as Worm.Win32.VBNA.b]
- McAfee [detected as W32/Autorun.worm.aaeh]
- Microsoft [detected as Win32/Vobfus.MD]
- Panda [detected as Trj/CI.A ]
- Sophos [detected as W32/VBNA-X]
- TrendMicro [detected as WORM_VOBFUS]