Threat behavior
HTML/Emerleox is detection for files modified by Worm:Win32/Emerleox.gen, a network worm that attempts to copy itself to writable network shares by exploiting weak passwords/username combinations. When Worm:Win32/Emerleox.gen is run, it attempts to disable certain antivirus and firewall products by disabling registry entries and killing processes associated with those programs. When run, Worm:Win32/Emerleox.gen takes the following actions:
- Drops a copy of itself as a randomly named executable to the Windows system folder
- Modifies the registry to load this copy of itself when Windows is started:
Adds value: FuckJacks (most common, this may vary)
With data: <path to copy of worm>
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- By default, Windows suppresses viewing of hidden files. If this setting has been changed, the worm will modify the registry so that hidden files will not be displayed in Windows Explorer.
- Downloads and executes files from embedded, encrypted URLs
- Deletes the admin share on the infected computer
- Copies itself to unprotected or weak network shares as 'gamestup.exe' or 'setup.exe'
- Adds an autorun.inf file to the same folder so that the copy of the worm is executed when someone browses to the folder.
- Copies itself to the following folders on shared drives in order to launch a copy of itself when Windows is started:
\Documents and Settings\All Users\Start Menu\Programs\Startup\
\Documents and Settings\All Users\
\WINDOWS\Start Menu\Programs\Startup\
\WINNT\Profiles\All Users\Start Menu\Programs\Startup\
- Searches for and appends an iframe link to .htm, .asp, .php and .jsp files on the local machine. Microsoft detects these files as HTML/Emerleox.
Prevention
