Virus - W32.ChangeUp.X - Network Infection

[The Hoff]

Just a heads up...

Our network has been infected by W32.Changeup (lots and lots of new variants around), which managed to sneak past Symantec Endpoint Protection, according to Symantec they're patched it into yesterdays last definition, but, there's still a number of variants unpatched.

The damage factor is pretty low, but it's an annoying little fker. Basically, it infects the client machine by replacing shortcuts with mirrors. In doing so, changing the attributes of the existing folders to Hidden/System, and then creates a new share folder (which is linked back to an .exe).

Off of the back of that, the virus will then spread to any mapped drives/shares/removeable media, thus in a network environment your servers become infected, any served shares (file server...) then get raped in the same way, and new users clicking the shares become infected...

Very clever, simple little virus, and afaik it's still very much in the wild.

Hopefully they listen to my demands to disable autorun, stick superglue in every laptop USB, burn every USB pendrive and cut Symantec loose!

 

[ChrisR]

Hopefully they listen to my demands to disable autorun, stick superglue in every laptop USB, burn every USB pendrive and cut Symantec loose!

Or just have things setup properly in the first place

Where does it put the exe files, in the shares?

Easy fix, with software restriction policies and proper file and folder permissions this would never cause a problem

 

[iain187]

You can just disable devices with endpoint, put your glue away lol

 

[DMS]

You can just disable devices with endpoint, put your glue away lol

You can do it via Group Policy too, echoing ChrisR's comment.

 

[Andy.]

Our "mothership" got hit with this today too. I was curious what it was.

 

[iain187]

how do you block hardware in group policy?

i know you could stop a file running or getting onto a share etc with permissions / gp etc but can GP just block the hardware device itself so as soon as you plug in it just shows up as disabled?

 

[The Hoff]

Chris/Iain, I work as a contractor for a big big organisation, which sadly means I have very little input into security/administration. Actually, we don't even have permissions or access to most of the infrastructure - that's all dealt with in America by the security/av teams. Even though I can see obvious problems e.g all users have Local Admin rights to their machines(!), I'm powerless to change them...

This virus just infected another site today, 70-80 users are now off the network in their own little OU. Presently despite a number of meetings, the best they've come up with is disabling Autorun via GP, and File Screening on the servers... unfortunately for them, neither has worked, the trouble is if one person is infected, all of the folders in the top level of each share they have mapped become bogus links (it hides the original as a system/hidden attrib, and creates a new shortcut with the same name, linking back to the .exe on the client machine), when someone comes and clicks the share, it installs the .exe onto the new victims machine and does the same with their files and shares.

Because it's more nuisance than damaging, I kind of admire the simplicity of just how effective it is.

What's going on at your site Andy, how are you combating it?

 

[Cliotoby]

Whats the damage then - performance, functionality ??? Just interested.

 

[Andy.]

They run on a separate network to us so it is their own mess to sort out. Sorry, I don't know how they resolved it in the end, and our network was no infected.