FANDOM


Adware.Win32.Emusic or Emusic is a rather complicated email worm written in Visual Basic. The worm hides its activity by displaying a "Merry Christmas" window and playing a tune.

Spreading Routine

When run, the worm will send an email containing itself to all MS Outlook contacts.

Subject: Testing to send file
Message Body: [Varies] Hi, just testing email using Merry Christmas music file, not bad music. [or]  Hi, just testing email using Merry Christmas music file, you'll like it.

Components

Worm Dropper

This component is the one that is sent in the email. When the dropper is run, it will first copy itself to the Windows directory by the alias "SYSMCM.exe". It will then ensure it runs on startup. This component doesn't spread, it will call upon an Internet Domain to retrieve two other files "SYSDRV.EXE" and "SYSTMP.DLL".

Sender

This is a rather simple component and will spread the dropper program to all retrievable address books on the infected system.

WinSock

Simply an updater, this program constantly checks for new variants from set Internet Domains and will replace them as necessary. This will decrease the likelihood of the worm being discovered on the victim machine.

Registry Keys dropped

The worm will drop the following key to ensure it is always run at startup.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SysDrv = %SystemDir%\sysmcm.exe

It also creates another key to store application data.

HKLM\Software\Microsoft\MCM
FirstRun
LastRun
RunMCM
Status
SMTP
Version = 001111

Aliases

Pictures

Xmas1
Xmas2

Sources

Securelist (Kaspersky Labs), not-a-virus:AdWare.Win32.Emusic.a

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.