Home / malwarePDF  

VirTool:WinNT/Emold.gen!A


First posted on 15 February 2019.
Source: Microsoft

Aliases :

There are no other names known for VirTool:WinNT/Emold.gen!A.

Explanation :

VirTool:WinNT/Emold.gen!A is Microsoft's generic detection for a trojan driver component installed by worms detected as Worm:Win32/Emold.gen!D and Worm:Win32/Emold.E. This trojan is dropped and loaded by the worm upon execution. InstallationVirTool:WinNT/Emold.gen!A is installed by variants of Win32/Emold, such as Worm:Win32/Emold.gen!D and Worm:Win32/Emold.E. The trojan may be dropped as the following files: driversaec.sys driversasyncmac.sys Note: Legitimate driver files named 'aec.sys' and 'asyncmac.sys' may exist in the same folder. If these files exist in the system, the trojan replaces the legitimate file with the rootkit. Payload Disables Monitoring by Security ApplicationsThis trojan disables monitoring of several system functions (listed below) normally monitored by security software to detect malware on the computer: NtProtectVirtualMemory
NtCreateFile
NtAdjustPrivilegesToken
NtCreateKey
NtConnectPort
NtCreatePort
NtTerminateThread
NtOpenThread
NtWriteVirtualMemory
NtOpenProcess
NtCreateProcess
NtCreateProcessEx
NtCreateSection
NtCreateThread
NtDeleteKey
NtDeleteValueKey
NtDuplicateObject
NtEnumerateKey
NtEnumerateValueKey
NtLoadDriver
NtLoadKey
NtLoadKey2
NtNotifyChangeKey
NtOpenFile
NtOpenKey
NtOpenSection
NtQueryKey
NtQueryMultipleValueKey
NtQueryValueKey
NtReplaceKey
NtRestoreKey
NtResumeThread
NtSaveKey
NtSetContextThread
NtSetInformationFile
NtSetInformationKey
NtSetSystemInformation
NtSetValueKey
NtSuspendThread
NtSystemDebugControl
NtTerminateProcess Additional InformationFor more information about Worm:Win32/Emold.gen!D or Worm:Win32/Emold.E, see our descriptions elsewhere in the encyclopedia.  Analysis by Shali Hsieh, Jaime Wong, and Vincent Tiu

Last update 15 February 2019

 

TOP