Worm:Win32/Emold.F is a worm that installs a trojan rootkit. It can spread via removable drives, spammed to users as an e-mail attachment, and distributed from malicious Web sites. It is capable of downloading arbitrary files, including other malware, from a specific Web site.
Installation
Worm:Win32/Emold.F may arrive in a computer with the following file names:
-
e-ticket.doc<spaces>.exe
-
E-ticket.zip
The file has an icon resembling a Word document, in an attempt to mislead the user into opening it.
When executed, Worm:Win32/Emold.F copies itself as "wuauclt.exe" in the Windows Common Program Files folder, and modifies the system registry so that it executes on every system start:
Adds value: "Debugger"
With data: "%CommonProgramFiles%\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Note that a legitimate Windows file also named "wuauclt.exe" exists by default in the Windows system folder. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also creates remote threads in the following legitimate Windows processes:
To ensure that at least one instance of "svchost.exe" is available for the remote thread creation, the worm adds the following registry entry:
Adds value: "svchost"
With data: "svchost.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via...
Removable drives
Worm:Win32/Emold.F copies itself as "system.exe" to removable drives. The worm then writes an autorun configuration file named "autorun.inf" in the root of the targeted drive pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
E-mail
Worm:Win32/Emold.F may spread itself as an attachment in a spam e-mail message. As previously mentioned in the Installation section, the worm attachment may have a file name and icon that may mislead users into thinking it is a legitimate document.
Payload
Modifies system settings
To bypass the system firewall, the worm adds itself to the authorized application list by modifying the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorisedApplications\List
Uses advanced stealth/Drops additional malware
The worm drops a file with a name derived from enumerating the key "HKLM\SYSTEM\CurrentControlSet\Services" and finding the first subkey with the entries "ImagePath" and "Start", with "Start" having a value of 3. The worm uses the name found in the "ImagePath", making sure that it has a .SYS extension. Normally such file names happen to be "aec.sys" or "asyncmac.sys".
The worm drops a rootkit driver with the derived name in the Windows system drivers folder. This file is detected as
VirTool:WinNT/Emold.gen!A and is a rootkit used to hide the worm's malicious activities on the system.
Note that legitimate Windows files also named "aec.sys" and "asyncmac.sys" exist by default in the Windows system drivers folder. The default installation location for the system drivers folder for Windows 2000 and NT is "C:\Winnt\System32\Drivers"; and for XP, Vista, and 7 is "C:\Windows\System32\Drivers".
Downloads and executes arbitrary files
Worm:Win32/Emold.F also attempts to download files from the domains "gradul.ru" and "kexlup.ru". At the time of writing the domains are not accessible.
Analysis by Oleg Petrovsky
