Worm:Win32/Emold.gen!D is a generic detection for a worm that installs a trojan rootkit, downloads malware and spreads to removable drives.

What to do now

Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see

Threat behavior

Worm:Win32/Emold.gen!D is a generic detection for a worm that installs a trojan rootkit, downloads malware and spreads to removable drives.
When opened or executed, Worm:Win32/Emold.gen!D copies itself to the following location:
%ProgramFiles%\Microsoft Common\wuauclt.exe
It then modifies the system registry so that it automatically executes every time Windows starts:
Adds value: "Debugger"
With data: "%ProgramFiles%\Microsoft Common\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Note that a legitimate Windows file also named wuauclt.exe exists by default in the Windows system folder. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Worm:Win32/Emold.gen!D may launch a hidden copy of the default Web browser by querying the registry  and creating a remote thread in the new process.
Spreads Via…
Removable Drives
Worm:Win32/Emold.gen!D spreads to removable drives by creating a copy of itself as 'system.exe' on available removable drives. The worm writes an autorun configuration file named 'autorun.inf' pointing to 'system.exe'. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the virus is launched automatically.
Modifies System Security Settings
Worm:Win32/Emold.gen!D checks if '<system folder>\svchost.exe' is running. If not, it attempts to start 'svchost.exe' by launching the default Web browser referenced in the registry subkey 'hkcr\http\shell\open\command'.
Once svchost.exe is running, Worm:Win32/Emold.gen!D modifies the Windows firewall policy stored in the registry to allow the trojan to make remote connection(s).
Adds value: "%Program Files%\Microsoft Common\wuauclt.exe"
With data: "%Program Files%\Microsoft Common\wuauclt.exe:*:Enabled:EMOTIONS_EXECUTABLE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\
Downloads Malware
Worm:Win32/Emold.gen!D connects with and attempts to download from the site ''.
Drops Additional Malware/Uses Advanced Stealth
Worm:Win32/Emold.gen!D drops the file aec.sys in the Windows system drivers folder. This file is detected as VirTool:WinNT/Emold.gen!A and is a rootkit used to hide this worm's malicious activities on the system.
Note that a legitimate file named aec.sys may exist in the same folder and is the driver for the Microsoft Acoustic Echo Canceller. If this file exists in the system, the trojan replaces the legitimate file with the rootkit.
Analysis by Jaime Wong


System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
  • %ProgramFiles%\Microsoft Common\wuauclt.exe
  • The presence of the following registry modifications:
    Value: "Debugger"
    With data: "%ProgramFiles%\Microsoft Common\wuauclt.exe"
    In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Sep 29, 2008
This entry was updated on: Oct 08, 2010

This threat is also detected as:
  • ups_letter_N88825.doc.exe (other)
  • Worm.Win32.Autorun.pzo (Kaspersky)
  • (McAfee)
  • W32.Auraax (Symantec)