WORM_EMOLD.SS

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Program Files%\Microsoft Common\svchost.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It drops the following component file(s):

• %User Temp%\rdl{random1}.tmp - detected as TROJ_EMOLD.MSI

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

• %Program Files%\Microsoft Common

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

It injects codes into the following process(es):

• svchost.exe
• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
svchost = "{malware path}\{malware name}.exe"

It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
explorer.exe
Debugger = "%Program Files%\Microsoft Common\svchost.exe"

Other System Modifications

This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Program Files%\Microsoft Common\svchost.exe = "%Program Files%\Microsoft Common\svchost.exe::*:Enabled:EMOTIONS_EXECUTABLE"

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• system.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
;l
open=system.exe
;l
shellexecute=system.exe
;l
shell\Explore\command=system.exe
;l
shell\Open\command=system.exe
;l
shell=Explore

Other Details

This worm connects to the following possibly malicious URL:

• http://{BLOCKED}son.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
• http://{BLOCKED}isa.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
• http://{BLOCKED}nss.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1

NOTES:

The dropped autorun.inf is detected as Mal_Otorun1.

This worm temporarily replaces an existing device driver. It determines the driver to be replaced by checking the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry entry, the driver file found in the said registry entry should have a value of 3 in the Start value (which is, load on demand). It temporarily saves the found driver as %User Temp%\rdl{random2}.tmp and %User Temp%\rdl{random1}.tmp is saved as the found driver. It then executes the replaced driver. After executing the replaced driver, it is replaced back and %User Temp%\rdl{random2}.tmp is deleted. This routine is done in order to hide its malicious activity on the system.