VirTool:WinNT/Emold.gen!A

VirTool:WinNT/Emold.gen!A is Microsoft's generic detection for a trojan driver component installed by worms detected as Worm:Win32/Emold.gen!D and Worm:Win32/Emold.E. This trojan is dropped and loaded by the worm upon execution.

VirTool:WinNT/Emold.gen!A is installed by variants of Win32/Emold, such as Worm:Win32/Emold.gen!D and Worm:Win32/Emold.E. The trojan may be dropped as the following files:

 

<system folder>\drivers\aec.sys

<system folder>\drivers\asyncmac.sys

 

Note: Legitimate driver files named 'aec.sys' and 'asyncmac.sys' may exist in the same folder. If these files exist in the system, the trojan replaces the legitimate file with the rootkit.

This trojan disables monitoring of several system functions (listed below) normally monitored by security software to detect malware on the computer:

 

NtProtectVirtualMemory
NtCreateFile
NtAdjustPrivilegesToken
NtCreateKey
NtConnectPort
NtCreatePort
NtTerminateThread
NtOpenThread
NtWriteVirtualMemory
NtOpenProcess
NtCreateProcess
NtCreateProcessEx
NtCreateSection
NtCreateThread
NtDeleteKey
NtDeleteValueKey
NtDuplicateObject
NtEnumerateKey
NtEnumerateValueKey
NtLoadDriver
NtLoadKey
NtLoadKey2
NtNotifyChangeKey
NtOpenFile
NtOpenKey
NtOpenSection
NtQueryKey
NtQueryMultipleValueKey
NtQueryValueKey
NtReplaceKey
NtRestoreKey
NtResumeThread
NtSaveKey
NtSetContextThread
NtSetInformationFile
NtSetInformationKey
NtSetSystemInformation
NtSetValueKey
NtSuspendThread
NtSystemDebugControl
NtTerminateProcess

For more information about Worm:Win32/Emold.gen!D or Worm:Win32/Emold.E, see our descriptions elsewhere in the encyclopedia.