Saturday, December 01, 2012


I was at work this week and a teammate mentioned that w32.changeup might be a concern to our client base.  We try to proactively alert our clients on what could affect them without needlessly spamming them (we try to weed through the hype as well).  The vendors already have the technical write-ups, so I'll spare the readers my thoughts on that.  But I will say that the worm was first discovered a year's an older worm but the new variants appear to be enhanced, and there's a large spike in infections across the world.  As well, the worm is apparently difficult to remove if not using AV tools.

In my research, I discovered the following:

  • When using Symantec as a resource, it is difficult to determine which variant is being discussed, which leads to confusion and not being fully aware of possible impact.  There are 32 variants of this worm and in most of Symantec's articles, knowledge-base entries, and blog/forum posts, the authors rarely mention the variants that could negatively affect users.  

  • As well, there aren't many other vendors that can detect and/or remove infections, so it is critical that rare resources be accurately documented (as much as possible, at least).

  • I became curious if any other vendor could detect (and/or remove) the worm, but because I didn't know a common name for this worm that the industry was collectively using, it was difficult to find additional details.  Finally, I stumbled across this:, which is the Symantec Blog.  It lists several vendor names of the worm.  It is highly annoying that I had to visit Symantec's site to find what McAfee named the worm.
I hate researching worms and viruses because there's no real standards that the AV industry follows.

Post a Comment