W32.Changeup Installing and Running eMule

We have seen many threats that use file-sharing applications in order to spread to other computers. Typically these threats would scan a compromised computer for the shared folders of these programs, and if found would copy themselves into those folders mimicking names that are popular in search queries (e.g. popular pirated softwares, games, or cracks).
W32.Changeup does not scan for existing file-sharing applications, but it does do something unusual. It will actually install a well-known application called Emule and use it to share itself, mimicking tens of thousands of file names from popular user searches. Let’s have a closer look.
Infection
Changeup may arrive on a computer in several ways. As we have seen, it may use the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability, spread through removable or network drives, or why not, being accidentally downloaded from a P2P application! (You can find more information about W32.Changeup characteristics in this previous blog entry.) Usually the first executable being dropped on the machine is quite small in size, it will connect back to Changeup C&C servers and will download an additional payload, especially threats from the families Backdoor.Tidserv, Downloader.Harnig, Trojan.FakeAV, and others.
Sharing
After the payload is dropped, there is no visible window or sign of the threat running, but we can have a look at the process list to (continue reading...)