/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsMalware authoring and distribution has become very profitable over the years - an example of how it has become a profitable enterprise, backed by a strong business model is a worm called W32.Changeup. It appears not to have any functionality other than propagating and downloading other threats.
It is likely that the authors of the threat are associated with affiliate schemes that are attempting to generate money through the distribution of malware. Symantec has witnessed a large spike in the number of W32.Changeup detections and infections since the beginning of December.
The highest large number of detections has been recorded in India and Mexico, but the malware has been spotted all over North America, several South American countries and even in some parts of Africa. Symantec has observed the following geographic distribution of this threat.
One of the most notable functions of W32.Changeup is its polymorphic capability. To infect a machine, the threat copies itself to the target machine and modifies itself. The polymorphic engine modifies its own module and form names, an image in the form, and file names in the resource section every time it is executed. Interestingly, the "image" is in fact encrypted data of the worm, not an actual image.
The following lists how it spreads, what techniques it uses to spread, and what its payload is:
· It spreads on a large scale through network shares and removable drives.
· It uses social engineering techniques to install itself.
· It updates itself as well as installing other threats.
The piece of malware detected as W32.Changeup has been making the rounds since mid-2009 and its developers don't seem to be willing to give up on it just yet. Symantec experts have found a new variant of this threat circulating in the wild.