Worm:Win32/Emold.B is a worm that installs a trojan rootkit, downloads malware and spreads to removable drives.
Installation
When opened or executed, Worm:Win32/Emold.B copies itself to the following location:
%ProgramFiles%\Microsoft Common\wuauclt.exe
It then modifies the system registry so that it automatically executes every time Windows starts:
Adds value: "Debugger"
With data: "%ProgramFiles%\Microsoft Common\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Note that a legitimate Windows file also named wuauclt.exe exists by default in the Windows system folder. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The trojan modifies the registry to ensure that 'svchost.exe' runs at each Windows start.
Adds value: svchost
With data: svchost.exe
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Worm:Win32/Emold.B may also launch a hidden copy of the default Web browser by querying the registry and creating a remote thread in the new process.
Spreads Via…
Removable Drives
Worm:Win32/Emold.B spreads to removable drives by creating a copy of itself as 'system.exe' on available removable drives. The worm writes an autorun configuration file named 'autorun.inf' pointing to 'system.exe'. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the virus is launched automatically.
Payload
Bypasses Firewall
Worm:Win32/Emold.B modifies the Windows firewall policy stored in the registry to allow the trojan to make remote connection(s).
Adds value: "%Program Files%\Microsoft Common\wuauclt.exe"
With data: "%Program Files%\Microsoft Common\wuauclt.exe:*:Enabled:EMOTIONS_EXECUTABLE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Downloads Malware
Worm:Win32/Emold.B connects with and attempts to download from the site 'aaszxt.ru'.
Drops Additional Malware/Uses Advanced Stealth
Worm:Win32/Emold.B drops the file
aec.sys in the Windows system drivers folder. This file is detected as
VirTool:WinNT/Emold.gen!A and is a rootkit used to hide this trojan's malicious activities on the system.
Note that a legitimate file named aec.sys may exist in the same folder and is the driver for the Microsoft Acoustic Echo Canceller. If this file exists in the system, the trojan replaces the legitimate file with the rootkit.
Additional Information
This malware may have arrived as a spammed e-mail attachment named "eTicket_s3.zip" or similar, which contains "eTicket_s3.doc.exe" or other named executable. The e-mail spam may have the following text:
Hello,
Thank you for using our new service "Buy flight ticket Online" on our website.
Your account has been created: Your account has been created:
Your login: <random>
Your password: <random>
Your credit card has been charged for $ <random>.
We would like to remind you that whenever you order tickets on our
website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a printed color, and you are in September
to take off for the journey!
Kind regards,
<random> Airlines
Analysis by Patrik Vicol
