{
	"id": "431b262a-bb02-47d3-8e36-5b27a53c56be",
	"created_at": "2026-04-06T00:10:20.562892Z",
	"updated_at": "2026-04-10T03:21:45.607068Z",
	"deleted_at": null,
	"sha1_hash": "2e6ea5eda5e11e87687b4208bf60033ea4cac417",
	"title": "WORM_EMUDBOT.JP - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52158,
	"plain_text": "WORM_EMUDBOT.JP - Threat Encyclopedia | Trend Micro (US)\r\nArchived: 2026-04-05 19:48:07 UTC\r\nThis worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users\r\nwhen visiting malicious sites.\r\nArrival Details\r\nThis worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users\r\nwhen visiting malicious sites.\r\nOther System Modifications\r\nThis worm deletes the following files:\r\nA:\\autorun.inf\r\nA:\\autorun.bat\r\nA:\\autorun.vbs\r\nDropping Routine\r\nThis worm drops the following files:\r\n%User Temp%\\tzscd.exe\r\nA:\\recycle.exe\r\n(Note: %User Temp% is the current user's Temp folder, which is usually C:\\Documents and Settings\\{user\r\nname}\\Local Settings\\Temp on Windows 2000, XP, and Server 2003.)\r\nOther Details\r\nThis worm connects to the following possibly malicious URL:\r\nhttp://network.{BLOCKED}d.com/webyx/iLog.php?dl=5.1\u0026log=Loader: 501~EXP\r\nhttp://absbh.{BLOCKED}tedya.com/webyx/remote.php?{random characters}\r\nhttp://ccy.{BLOCKED}tedya.com/webyx/settings.cfg?build=501\u0026os=XP\r\nhttp://jgfx.{BLOCKED}ntedya.com/webyx/remote.php?{random characters}\r\nhttp://meya.{BLOCKED}ntedya.com/webyx/settings.cfg?build=501\u0026os=XP\r\nhttp://asgsaq.{BLOCKED}ctya.com/webyx/remote.php?{random characters}\r\nhttp://abmnab.{BLOCKED}ctya.com/webyx/settings.cfg?build=501\u0026os=XP\r\nhttp://kla.{BLOCKED}fying.com/webyx/remote.php?{random characters}\r\nhttp://wfayhg.{BLOCKED}fying.com/webyx/settings.cfg?build=501\u0026os=XP\r\nhttp://txnkft.{BLOCKED}orked.com/webyx/remote.php?{random characters}\r\nhttp://vtwupbp.{BLOCKED}orked.com/webyx/settings.cfg?build=501\u0026os=XP\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp\r\nPage 1 of 2\n\nhttp://yvwsqa.{BLOCKED}tedya.com/webyx/remote.php?{random characters}\r\nhttp://kawi.{BLOCKED}tedya.com/webyx/settings.cfg?build=501\u0026os=XP\r\nThis report is generated via an automated analysis system.\r\nStep 1\r\nFor Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System\r\nRestore to allow full scanning of your computer.\r\nStep 2\r\nSearch and delete these files\r\n[ Learn More ]\r\nThere may be some component files that are hidden. Please make sure you check the Search Hidden Files and\r\nFolders checkbox in the \"More advanced options\" option to include all hidden files and folders in the search\r\nresult.\r\n%User Temp%\\tzscd.exe\r\nA:\\recycle.exe\r\nStep 3\r\nScan your computer with your Trend Micro product to delete files detected as WORM_EMUDBOT.JP. If the\r\ndetected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is\r\nrequired. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more\r\ninformation.\r\nStep 4\r\nRestore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted\r\nfiles related to programs that are not from Microsoft, please reinstall those programs on you computer again.\r\nA:\\autorun.inf\r\nA:\\autorun.bat\r\nA:\\autorun.vbs\r\nDid this description help? Tell us how we did.\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp"
	],
	"report_names": [
		"worm_emudbot.jp"
	],
	"threat_actors": [],
	"ts_created_at": 1775434220,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2e6ea5eda5e11e87687b4208bf60033ea4cac417.pdf",
		"text": "https://archive.orkl.eu/2e6ea5eda5e11e87687b4208bf60033ea4cac417.txt",
		"img": "https://archive.orkl.eu/2e6ea5eda5e11e87687b4208bf60033ea4cac417.jpg"
	}
}