ALIASES:

Emold, Bezopi

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Canal de infección Propagates via removable drives, Downloaded from the Internet

EMOTI is a malware family used to install a rootkit. It also propagates to all removable drives on a user's system. It is downloaded via the Internet. Its notable routines include code injection to explorer.exe and svchost.exe.

  TECHNICAL DETAILS

Residente en memoria Yes
Carga útil Hides files and processes

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %Program Files%\Microsoft Common\svchost.exe
  • %Program Files%\Movie Maker\wmv2avi.exe
  • %System%\logon.exe
  • %User Temp%\{malware name}.exe
  • %Windows%\mssrvc\svchost.exe
  • {drive letter}:\system.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following files:

  • %User Temp%\000_c.exe
  • %User Temp%\7upx.exe
  • %User Temp%\ader.exe
  • %User Temp%\mxs.exe
  • %User Temp%\rdl{random1}.tmp
  • {drive letter}:\autorun.inf

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

  • %Windows%\mssrvc
  • %Program Files%\Microsoft Common

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svchost = "%Windows%\mssrvc\svchost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
svchost = "{malware path}\{malware name}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %User Temp%\{malware name}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe logon.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
explorer.exe
Debugger = "%Program Files%\Movie Maker\wmv2avi.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
explorer.exe
Debugger = "%Program Files%\Microsoft Common\svchost.exe"

Other System Modifications

This worm modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "2"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Program Files%\Microsoft Common\svchost.exe = "%Program Files%\Microsoft Common\svchost.exe:*:Enabled:EMOTIONS_EXECUTABLE"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}eavy.cn
  • http://{BLOCKED}isa.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
  • http://{BLOCKED}nss.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
  • http://{BLOCKED}rfriends.com/load/get.php?v=1&rs={guid}&n=1&uid=1
  • http://{BLOCKED}son.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
  • {BLOCKED}x.ru
  • {BLOCKED}det-zae.biz
  • {BLOCKED}x.ru