arrow_back
search
close

VBS_EMOTI

September 04, 2013
 ALIASES:

Emold, Bezopi

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Downloaded from the Internet

EMOTI is a malware family used to install a rootkit. It also propagates to all removable drives on a user's system. It is downloaded via the Internet. Its notable routines include code injection to explorer.exe and svchost.exe.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Hides files and processes

Installation

This worm drops the following copies of itself into the affected system and executes them:

  • %Program Files%\Microsoft Common\svchost.exe
  • %Program Files%\Movie Maker\wmv2avi.exe
  • %System%\logon.exe
  • %User Temp%\{malware name}.exe
  • %Windows%\mssrvc\svchost.exe
  • {drive letter}:\system.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

It drops the following files:

  • %User Temp%\000_c.exe
  • %User Temp%\7upx.exe
  • %User Temp%\ader.exe
  • %User Temp%\mxs.exe
  • %User Temp%\rdl{random1}.tmp
  • {drive letter}:\autorun.inf

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

  • %Windows%\mssrvc
  • %Program Files%\Microsoft Common

(Note: %Windows% is the Windows folder, which is usually C:\Windows.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
svchost = "%Windows%\mssrvc\svchost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
svchost = "{malware path}\{malware name}.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe, %User Temp%\{malware name}.exe"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe logon.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

It adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
explorer.exe
Debugger = "%Program Files%\Movie Maker\wmv2avi.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
explorer.exe
Debugger = "%Program Files%\Microsoft Common\svchost.exe"

Other System Modifications

This worm modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "2"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"

(Note: The default value data of the said registry entry is 1.)

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Program Files%\Microsoft Common\svchost.exe = "%Program Files%\Microsoft Common\svchost.exe:*:Enabled:EMOTIONS_EXECUTABLE"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot

Other Details

This worm connects to the following possibly malicious URL:

  • {BLOCKED}eavy.cn
  • http://{BLOCKED}isa.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
  • http://{BLOCKED}nss.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
  • http://{BLOCKED}rfriends.com/load/get.php?v=1&rs={guid}&n=1&uid=1
  • http://{BLOCKED}son.com/lde/ld.php?v=1&rs={GUID}&n={number}&uid=1
  • {BLOCKED}x.ru
  • {BLOCKED}det-zae.biz
  • {BLOCKED}x.ru