Worm:Win32/Emold.C is a worm that installs a trojan rootkit. It can spread via removable drives, spammed to users as an e-mail attachment, and distributed from malicious Web sites. It is capable of downloading arbitrary files, including other malware, from a specific Web site.
Installation
Worm:Win32/Emold.C may arrive in a computer with the following file names:
- Statement.doc<spaces>.exe
- Credit card account statement (Visa,MC).doc<spaces>.exe
The file has an icon resembling a Word document, in an attempt to mislead the user into opening it.
When executed, Worm:Win32/Emold.C copies itself as "wuauclt.exe" in the Windows Common Program Files folder, and modifies the system registry so that it executes on every system start:
Adds value: "Debugger"
With data: "%CommonProgramFiles%\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Note that a legitimate Windows file also named "wuauclt.exe" exists by default in the Windows system folder. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also creates remote threads in the following legitimate Windows processes:
To ensure that at least one instance of "svchost.exe" is available for the thread creation, the worm adds the following registry entry:
Adds value: "svchost"
With data: "svchost.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via...
Removable drives
Worm:Win32/Emold.C copies itself as "system.exe" to removable drives. The worm then writes an autorun configuration file named "autorun.inf" in the root of the targeted drive pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
E-mail
Worm:Win32/Emold.C may spread itself as an attachment in a spam e-mail message. As previously mentioned in the Installation section, the worm attachment may have a file name and icon that may mislead users into thinking it is a legitimate document.
Payload
Modifies system settings
To bypass the system firewall, the worm adds itself to the authorized application list by modifying the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorisedApplications\List
Uses advanced stealth/Drops additional malwareThe worm drops a file with a name "
asyncmac.sys" in the Windows system folder. This file is detected as
VirTool:WinNT/Emold.gen!A and is a rootkit used to hide its malicious activities on the infected computer.
Note that a legitimate Windows file also named "asyncmac.sys" exists by default in the Windows system drivers folder. The default installation location for the system drivers folder for Windows 2000 and NT is "C:\Winnt\System32\Drivers"; and for XP, Vista, and 7 is "C:\Windows\System32\Drivers".
Downloads and executes arbitrary files
Worm:Win32/Emold.C also attempts to download files from the domain "aaszxr.ru". At the moment of writing the domain is not accessible.
Analysis by Oleg Petrovsky
