Adware.Win32.Emusic or Emusic is a rather complicated email worm written in Visual Basic. The worm hides its activity by displaying a "Merry Christmas" window and playing a tune.
When run, the worm will send an email containing itself to all MS Outlook contacts.
Subject: Testing to send file Message Body: [Varies] Hi, just testing email using Merry Christmas music file, not bad music. [or] Hi, just testing email using Merry Christmas music file, you'll like it.
This component is the one that is sent in the email. When the dropper is run, it will first copy itself to the Windows directory by the alias "SYSMCM.exe". It will then ensure it runs on startup. This component doesn't spread, it will call upon an Internet Domain to retrieve two other files "SYSDRV.EXE" and "SYSTMP.DLL".
This is a rather simple component and will spread the dropper program to all retrievable address books on the infected system.
Simply an updater, this program constantly checks for new variants from set Internet Domains and will replace them as necessary. This will decrease the likelihood of the worm being discovered on the victim machine.
Registry Keys dropped
The worm will drop the following key to ensure it is always run at startup.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run SysDrv = %SystemDir%\sysmcm.exe
It also creates another key to store application data.
HKLM\Software\Microsoft\MCM FirstRun LastRun RunMCM Status SMTP Version = 001111
- Kaspersky Lab: not-a-virus:AdWare.Emusic.a
- DrWeb: Adware.Emusic
- NOD32: Win32/Adware.eMusic
- BitDefender: Adware.Emusic.A
- AVG: Generic.MHV
- AVIRA: ADSPY/Emusic.A
- NAV: Adware.Emusic
Securelist (Kaspersky Labs), not-a-virus:AdWare.Win32.Emusic.a