Home / malwarePDF  

VirTool:WinNT/Emold.gen!A


First posted on 30 June 2009.
Source: SecurityHome

Aliases :

VirTool:WinNT/Emold.gen!A is also known as Also Known As:VirTool:WinNT/Rootkitdrv.DM (other).

Explanation :

VirTool:WinNT/Emold.gen!A is Microsoft's generic detection for a trojan driver component installed by worms detected as Worm:Win32/Emold.gen!D and Worm:Win32/Emold.E. This trojan is dropped and loaded by the worm upon execution.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:
    Value: "Debugger"
    With data: "%ProgramFiles%Microsoft Commonwuauclt.exe"
    In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe
  • Alert notifications from installed antivirus software may be the only symptom(s).


    • VirTool:WinNT/Emold.gen!A is Microsoft's generic detection for a trojan driver component installed by worms detected as Worm:Win32/Emold.gen!D and Worm:Win32/Emold.E. This trojan is dropped and loaded by the worm upon execution.

    Installation
    VirTool:WinNT/Emold.gen!A is installed by variants of Win32/Emold, such as Worm:Win32/Emold.gen!D and Worm:Win32/Emold.E. The trojan may be dropped as the following files: <system folder>driversaec.sys<system folder>driversasyncmac.sys Note: Legitimate driver files named 'aec.sys' and 'asyncmac.sys' may exist in the same folder. If these files exist in the system, the trojan replaces the legitimate file with the rootkit.

    Payload
    Disables Monitoring by Security ApplicationsThis trojan disables monitoring of several system functions (listed below) normally monitored by security software to detect malware on the computer: NtProtectVirtualMemory
    NtCreateFile
    NtAdjustPrivilegesToken
    NtCreateKey
    NtConnectPort
    NtCreatePort
    NtTerminateThread
    NtOpenThread
    NtWriteVirtualMemory
    NtOpenProcess
    NtCreateProcess
    NtCreateProcessEx
    NtCreateSection
    NtCreateThread
    NtDeleteKey
    NtDeleteValueKey
    NtDuplicateObject
    NtEnumerateKey
    NtEnumerateValueKey
    NtLoadDriver
    NtLoadKey
    NtLoadKey2
    NtNotifyChangeKey
    NtOpenFile
    NtOpenKey
    NtOpenSection
    NtQueryKey
    NtQueryMultipleValueKey
    NtQueryValueKey
    NtReplaceKey
    NtRestoreKey
    NtResumeThread
    NtSaveKey
    NtSetContextThread
    NtSetInformationFile
    NtSetInformationKey
    NtSetSystemInformation
    NtSetValueKey
    NtSuspendThread
    NtSystemDebugControl
    NtTerminateProcessAdditional InformationFor more information about Worm:Win32/Emold.gen!D or Worm:Win32/Emold.E, see our descriptions elsewhere in the encyclopedia.

    Analysis by Shali Hsieh, Jaime Wong, and Vincent Tiu

    Last update 30 June 2009

     

    TOP

    Malware :

    Family: