Home / malware Worm:Win32/Emold.N
First posted on 10 May 2010.
Source: SecurityHomeAliases :
Worm:Win32/Emold.N is also known as Worm.Win32.AutoRun.scj (Kaspersky), Win32/AutoRun.FakeAlert.S (ESET).
Explanation :
Worm:Win32/Emold.N is an encrypted executable with a file size of 45,568 bytes. It can spread via removable drives, be spammed to users as an e-mail attachment, or distributed from malicious Web sites. It is capable of downloading arbitrary files, including other malware, from a specific Web site.
Top
Worm:Win32/Emold.N is an encrypted executable with a file size of 45,568 bytes. It can spread via removable drives, be spammed to users as an e-mail attachment, or distributed from malicious Web sites. It is capable of downloading arbitrary files, including other malware, from a specific Web site. Installation Worm:Win32/Emold.N may be distributed to a computer with any of the following file names:Contract<spaces>.exe Contract.doc<spaces>.exe ups_letter_N<number>.zip The executable file has an icon resembling a Word document, in an attempt to mislead the user into opening it. When executed, Worm:Win32/Emold.N copies itself as "wuauclt.exe" into the Windows Common Program Files folder, and modifies the system registry so that it executes on every system start: Adds value: "Debugger" With data: "%CommonProgramFiles%\wuauclt.exe" To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Note that a legitimate Windows file also named "wuauclt.exe" exists by default in the Windows system folder. The default installation location for the Windows system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32. It also creates remote threads in the following legitimate Windows processes:svchost.exe explorer.exe To ensure that at least one instance of "svchost.exe" is available for the remote thread creation, the worm adds the following registry entry: Adds value: "svchost" With data: "svchost.exe" To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Spreads via... Removable drives Worm:Win32/Emold.N copies itself as "system.exe" to removable drives. The worm then writes an Autorun configuration file named "autorun.inf" in the root of the targeted drive pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. E-mail Worm:Win32/Emold.N may be spread as an attachment to a spammed e-mail message. As previously mentioned in the Installation section, the worm attachment may have a file name and icon that may mislead users into thinking it is a legitimate document. Payload Modifies system settings To bypass the system firewall, the worm adds itself to the authorized application list by modifying the following registry entry: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorisedApplications\List Uses advanced stealth/Drops additional malware The worm drops a file that uses the same file name as an existing device driver. It determines this file name by enumerating the "HKLM\SYSTEM\CurrentControlSet\Services" registry entry, looking for the first driver with a "Start" value of "3" (that is, load on demand). Commonly, the file name may be "<system folder>\drivers\aec.sys" or "<system folder>\drivers\asyncmac.sys". Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The dropped file is a rootkit detected as VirTool:WinNT/Emold.gen!A and is used to hide the worm's malicious activities on the system. Note that legitimate Windows files also named "aec.sys" and "asyncmac.sys" exist by default in the Windows system drivers folder. The default installation location for the system drivers folder for Windows 2000 and NT is "C:\Winnt\System32\Drivers"; and for XP, Vista, and 7 is "C:\Windows\System32\Drivers". Downloads and executes arbitrary files Worm:Win32/Emold.N also attempts to download files from the domains "druzg.ru" and "drizg.ru". At the time of writing the domains were not accessible.
Analysis by Oleg PetrovskyLast update 10 May 2010