Worm:Win32/Emold.S is an encrypted executable with a file size of 46,592 bytes. It can spread via removable drives, be spammed to users as an e-mail attachment, or distributed from malicious Web sites. It is capable of downloading arbitrary files, including other malware, from a specific Web site.
Installation
Worm:Win32/Emold.S may arrive on a computer with the following file name:
contract.doc<spaces>.exe
contract.zip
The executable file has an icon resembling a Word document, in an attempt to mislead the user into opening it.
When executed, Worm:Win32/Emold.S copies itself as "wuauclt.exe" into the Windows Common Program Files folder, and modifies the system registry so that it executes on every system start:
Adds value: "Debugger"
With data: "%CommonProgramFiles%\wuauclt.exe"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Note that a legitimate Windows file also named "wuauclt.exe" exists by default in the Windows system folder. The default installation location for the Windows system folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also creates remote threads in the following legitimate Windows processes:
To ensure that at least one instance of "svchost.exe" is available for the remote thread creation, the worm adds the following registry entry:
Adds value: "svchost"
With data: "svchost.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via...
Removable drives
Worm:Win32/Emold.S copies itself as "system.exe" to removable drives. The worm then writes an Autorun configuration file named "autorun.inf" in the root of the targeted drive pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
E-mail
Worm:Win32/Emold.S may be spread as an attachment to a spammed e-mail message. As previously mentioned in the Installation section, the worm attachment may have a file name and icon that may mislead users into thinking it is a legitimate document.
Payload
Modifies system settings
To bypass the system firewall, the worm adds itself to the authorized application list by modifying the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorisedApplications\List
Uses advanced stealth/Drops additional malware
The worm drops a file that uses the same file name as an existing device driver. It determines this file name by enumerating the "HKLM\SYSTEM\CurrentControlSet\Services" registry entry, looking for the first driver with a "Start" value of "3" (that is, loads on demand). The file name may be "<system folder>\drivers\aec.sys" or "<system folder>\drivers\asyncmac.sys".
The dropped file is a rootkit detected as VirTool:WinNT/Emold.gen!A and is used to hide the worm's malicious activities on the system.
Note that legitimate Windows files also named "aec.sys" and "asyncmac.sys" exist by default in the Windows system drivers folder. The default installation location for the system drivers folder for Windows 2000 and NT is "C:\Winnt\System32\Drivers"; and for XP, Vista, and 7 is "C:\Windows\System32\Drivers".
Downloads and executes arbitrary files
Worm:Win32/Emold.S also attempts to download files from the domains "joksh.ru" and "kexlup.ru". At the time of writing the domains are not accessible.
Analysis by Oleg Petrovsky
