Threat behavior
Worm:Win32/Emold.gen!C is a worm that drops a rootkit in the system to hide its malicious activities and spreads to removable drives. It is also capable of downloading additional malware onto the system from a certain website.
Installation
Worm:Win32/Emold.gen!C drops itself as wuauclt.exe in the Windows Common Program Files folder.
It then modifies the system registry so that it automatically executes every time Windows starts:
Adds value: "Debugger"
With data: "%CommonProgramFiles%\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Note that a legitimate Windows file also named wuauclt.exe exists by default in the Windows system folder. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also creates remote threads in the following legitimate Windows processes:
Spreads Via…
Removable Drives
Win32/Emold.gen!C copies itself to removable devices. It drops two files into the root of available removable drives:
autorun.inf - Autorun configuration file, launches 'system.exe'
system.exe - copy of Win32/Emold.gen!C
When the removable drive is accessed from another machine supporting the Autorun feature, the worm is launched automatically.
Payload
Drops Additional Malware/Uses Stealth
Win32/Emold.gen!C drops the file '
aec.sys' in the Windows system drivers folder. This file is detected as
VirTool:WinNT/Emold and is a rootkit used to hide malicious activities on the system.
Note that a legitimate file named aec.sys may exist in the same folder and is the driver for the Microsoft Acoustic Echo Canceller. If this file exists in the system, the trojan replaces the legitimate file with the rootkit.
Additional Information
Trojan:Win32/Emold.gen!C connects to the server 'aaszxt.ru'.
Analysis by Vitaly Zaytsev
Prevention
