Wednesday, December 19, 2012

Significant increase in the spread of W32.Changeup worm

I've run into a number of worms over the years but typically I see them in a network or two here and there. I've run into W32.Changeup several times in the past few days and I expect to see it a few more. It can get into your network via removable media or the Internet. From the infected computers it will replicate to net shares, and infect new computers that go into those shares via autorun. It will replicate to any net share that it can get into if the user has write permissions or via system account impersonation. It will also replicate to sysvol on domain controllers which is why it can spread so fast. It will also replicate to unprotected shares on Mac and Linux systems, but will only infect Windows PCs. To stop further infections disabling autorun across your domain or on your PC will be required. If you need help disabling autorun you can find instructions here.

If autorun is disabled all you really need to do is isolate the infected machines and re-image them offline. Assuming you have virus protection scanning your network the files it leaves behind should be cleaned up automatically and will not come back unless you still have infected machines. Once the infections are contained and eliminated you will need to fix the net shares the worm changed. You will likely start receiving calls from users saying their mapped drives are empty, and you likely will not be able to find them on the server. The worm marks all files and folders in net shares it replicates to along with the root folder as hidden system files and folders. In order to fix it you must remove the attributes via command prompt. I've successfully resolved the issue by logging into each file server as a domain admin, unhide protected operating system files, take ownership of the root shared folder, adding the domain admin account as full control, forcing the permissions down, and the running the below commands.

Removes attributes from root shared folder
Attrib -H -S C:\path\to\your\folder /S /D

Removes attributes from subfolders and files
Attrib -H -S "C:\path\to\your\folder\*.*" /S /D

Once the above is done you may still find random movie files or links in various folders that are 0 to 1 KB in size. You should perform a search for files that are the size of 1 KB or less and confirm or deny if they were there before the infection using backups. If they weren't delete them so that users do not mistakenly open them. The links will vary in name but the movie files seem to be named a single letter like and the size 0 to 1 KB. The very last step will be to correct the permissions you reset back to what they were pre-infection if the entire share tree did not have the same permissions.

CRM News W32.Changeup
Symantec's Security Response to W32.Changeup
Reset system and hidden attributes caused by W32.Changeup