Home / malware Worm:Win32/Emold.D
First posted on 08 February 2010.
Source: SecurityHomeAliases :
Worm:Win32/Emold.D is also known as Worm.Autorun.BNS (VirusBuster), Win32.HLLW.Autoruner.2640 (Dr.Web).
Explanation :
Worm:Win32/Emold.D is a worm that spreads by removable drives. It may also be spammed to users attached to e-mail, or distributed from malicious Web sites. The worm drops a rootkit in the system, which it uses to hide its presence and malicious activities from the affected user. The worm is also capable of downloading arbitrary files, additional malware onto the system from a certain Web site.
Top
Worm:Win32/Emold.D is a worm that spreads by removable drives. It may also be spammed to users attached to e-mail, or distributed from malicious Web sites. The worm drops a rootkit in the system, which it uses to hide its presence and malicious activities from the affected user. The worm is also capable of downloading arbitrary files, additional malware onto the system from a certain Web site. InstallationWhen executed, Worm:Win32/Emold.D copies itself as "wuauclt.exe" in the Windows Common Program
Files folder, and modifies the system registry so that it executes on every system start: Adds value: "Debugger"
With data: "%CommonProgramFiles%\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Note that a legitimate Windows file also named "wuauclt.exe" exists by default in the Windows system folder. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. It also creates remote threads in the following legitimate Windows processes:svchost.exe explorer.exe Spreads via€¦ Removable drivesThe worm copies itself as "system.exe" to removable drives and ensures that it is executed during the removable drive initialization process. Payload Uses advanced stealth/Drops additional malwareThe worm drops the file "aec.sys" in the Windows system drivers folder. This file is detected as VirTool:WinNT/Emold.gen!A and is a rootkit used to hide the worm's malicious activities on the system. Note that a legitimate file named "aec.sys" may exist in the same folder and is a Microsoft acoustic echo cancel driver. If this file exists in the system, the trojan replaces the legitimate file with the rootkit. Downloads and executes arbitrary filesWorm:Win32/Emold.D also attempts to download other malware from the aaszxr.ru domain. At the moment of writing the domain is not accessible.
Analysis by Oleg PetrovskyLast update 08 February 2010