Worm:Win32/Emold.E is a generic detection for a worm that installs a trojan rootkit, downloads and drops other malware and spreads to removable drives.
Installation
When opened or executed, Worm:Win32/Emold.E copies itself to the following location:
%ProgramFiles%\Microsoft Common\wuauclt.exe
Note that a legitimate Windows file also named wuauclt.exe exists by default in the Windows system folder. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It then modifies the system registry so that it automatically executes every time Windows starts:
Adds value: "Debugger"
With data: "%ProgramFiles%\Microsoft Common\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Adds value: "svchost"
With data: "%ProgramFiles%\Microsoft Common\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Worm:Win32/Emold.E may launch a hidden copy of the default Web browser by querying the registry and creating a remote thread in the new process.
Spreads Via…
Removable Drives
Worm:Win32/Emold.E spreads to removable drives by creating a copy of itself as system.exe on available removable drives. The worm writes an autorun configuration file named autorun.inf pointing to system.exe. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the virus is launched automatically.
Payload
Modifies System Security Settings
Worm:Win32/Emold.E modifies the Windows firewall policy stored in the registry to allow the trojan to make a remote connection(s).
Adds value: "%Program Files%\Microsoft Common\wuauclt.exe"
With data: "%Program Files%\Microsoft Common\wuauclt.exe:*:Enabled:EMOTIONS_EXECUTABLE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Downloads Malware
Worm:Win32/Emold.E connects with the sites furely.ru and kexlup.ru, presumably to download other malware.
Drops Additional Malware
Worm:Win32/Emold.E drops the file aec.sys in the Windows system drivers folder. This file is detected as
VirTool:WinNT/Emold.gen!A and is a rootkit used to hide this worm's malicious activities on the system.
Note that a legitimate file named aec.sys may exist in the same folder and is the driver for the Microsoft Acoustic Echo Canceller. If this file exists in the system, the worm replaces the legitimate file with the rootkit.
Analysis by Shali Hsieh
