W32.Changeup: how the worm was created

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

W32.Changeup: how the worm was created
Botnet
Malware Changeup
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 16 aug2012
Editor/Conference Symantec
Link http://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/w32 changeup how the worm was created.pdf (Archive copy)
Author Masaki Suenaga
Type

Abstract

Since the first W32.Changeup was discovered in 2009, many variants

have propagated around the world, accounting for 25 percent of all malware written in Visual Basic. The worm’s author periodically modifies the source code to avoid detection. Some variants are compiled to native code, while others are compiled to Pseudo-code. For this paper, a native code version of W32.Changeup was selected and decompiled in order to understand how the worm had been created and how the worm behaves. This paper presents the partial source code of the worm, as well as the method used to decompile a Visual Basic native code program by hand.

Bibtex

 @misc{Suenaga2012BFR1130,
   editor = {Symantec},
   author = {Masaki Suenaga},
   title = {W32.Changeup: how the worm was created},
   date = {16},
   month = Aug,
   year = {2012},
   howpublished = {\url{http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_changeup_how_the_worm_was_created.pdf}},
 }

Blog entry: http://www.symantec.com/connect/blogs/w32changeup-how-worm-was-created