I’ve run into a number of worms over the years but typically I see them in a network or two here and there. I’ve run into W32.Changeup several times in the past few days and I expect to see it a few more. It can get into your network via removable media or the Internet. From the infected computers it will replicate to net shares, and infect new computers that go into those shares via autorun. It will replicate to any net share that it can get into if the user has write permissions or via system account impersonation. It will also replicate to sysvol on domain controllers which is why it can spread so fast. It will also replicate to unprotected shares on Mac and Linux systems, but will only infect Windows PCs. To stop further infections disabling autorun across your domain or on your PC will be required. If you need help disabling autorun you can find instructions here.

If autorun is disabled all you really need to do is isolate the infected machines and re-image them offline. Assuming you have virus protection scanning your network the files it leaves behind should be cleaned up automatically and will not come back unless you still have infected machines. Once the infections are contained and eliminated you will need to fix the net shares the worm changed. You will likely start receiving calls from users saying their mapped drives are empty, and you likely will not be able to find them on the server. The worm marks all files and folders in net shares it replicates to along with the root folder as hidden system files and folders. In order to fix it you must remove the attributes via command prompt. I’ve successfully resolved the issue by logging into each file server as a domain admin, unhide protected operating system files, take ownership of the root shared folder, adding the domain admin account as full control, forcing the permissions down, and the running the below commands.

Removes attributes from root shared folder
Attrib -H -S C:pathtoyourfolder /S /D

Removes attributes from subfolders and files
Attrib -H -S “C:pathtoyourfolder*.*” /S /D

Once the above is done you may still find random movie files or links in various folders that are 0 to 1 KB in size. You should perform a search for files that are the size of 1 KB or less and confirm or deny if they were there before the infection using backups. If they weren’t delete them so that users do not mistakenly open them. The links will vary in name but the movie files seem to be named a single letter like x.mov and the size 0 to 1 KB. The very last step will be to correct the permissions you reset back to what they were pre-infection if the entire share tree did not have the same permissions.

CRM News W32.Changeup
Symantec’s Security Response to W32.Changeup
Reset system and hidden attributes caused by W32.Changeup

Related Posts

Active Directory

Export Active Directory Group Membership to CSV

Using Windows PowerShell you can easily export Active Directory group membership to CSV. First, start Windows PowerShell as an administrator and import the Active Directory PowerShell module. Import-Module ActiveDirectory Next, run the below command where Read more…

Microsoft SQL Server

Detatch database failed for Server ‘SQL-SERVER’. Error 3703

While trying to dismount a database I ran into the error: Cannot detach the database ‘Database Name’ because it is currently in use. (Microsoft SQL Server, Error: 3703). This almost always happens due to an Read more…

Cisco VPN

Cisco VPN client Windows 8.1 – Reason 442: Failed to enable Virtual Adapter

When you install the Cisco VPN client on Windows 8.1 you will likely receive the message “Reason 442: Failed to enable Virtual Adapter.” when you attempt to connect to a VPN. The fix is quick Read more…