Difference between revisions of "W32.Changeup: how the worm was created"

From Botnets.fr
Jump to navigation Jump to search
m (1 revision imported)
m (Text replacement - " www.symantec.com" to "")
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{Publication
{{Publication
|Link=http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_changeup_how_the_worm_was_created.pdf www.symantec.com
|Link=http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_changeup_how_the_worm_was_created.pdf
|Author=Masaki Suenaga
|Author=Masaki Suenaga
|NomRevue=Symantec Security Response
|NomRevue=Symantec Security Response
|Date=16 août 2012
|Date=16 aug2012
|Editor=Symantec
|Editor=Symantec
|Year=2012
|Year=2012

Latest revision as of 20:51, 5 August 2015

(Publication) Google search: [1]

W32.Changeup: how the worm was created
Botnet
Malware Changeup
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 16 aug2012
Editor/Conference Symantec
Link http://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/w32 changeup how the worm was created.pdf (Archive copy)
Author Masaki Suenaga
Type

Abstract

Since the first W32.Changeup was discovered in 2009, many variants

have propagated around the world, accounting for 25 percent of all malware written in Visual Basic. The worm’s author periodically modifies the source code to avoid detection. Some variants are compiled to native code, while others are compiled to Pseudo-code. For this paper, a native code version of W32.Changeup was selected and decompiled in order to understand how the worm had been created and how the worm behaves. This paper presents the partial source code of the worm, as well as the method used to decompile a Visual Basic native code program by hand.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1130,
   editor = {Symantec},
   author = {Masaki Suenaga},
   title = {W32.Changeup: how the worm was created},
   date = {16},
   month = Aug,
   year = {2012},
   howpublished = {\url{http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_changeup_how_the_worm_was_created.pdf}},
 }

Blog entry: http://www.symantec.com/connect/blogs/w32changeup-how-worm-was-created