Submission Summary:

What's been foundSeverity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Worm.Mevon.A Worm.Mevon.A is a worm which propagates via removable drives. It disables execution of certain normal applications.

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A network-aware worm that attempts to replicate across the existing network(s)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\Autorun.inf 237 bytes MD5: 0x94BCD02C5AFD5918B4446345E7A5DED9
SHA-1: 0x79839238E84BE225132E1382FAE6333DFC4906A1
Generic!atr [McAfee]
Mal/AutoInf-A [Sophos]
Worm.Win32.AutoRun [Ikarus]
2 c:\ntldr~6 3,950,159 bytes MD5: 0x4ABE896998E86E5E8A129403948BCCE9
SHA-1: 0xD9065234A852B5F172FB0E490781FFEB13740225
W32.Besverit [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Suspect-BN!4ABE896998E8 [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB.eex [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
3 c:\ntldr~8 3,950,159 bytes MD5: 0x39EF13773A49742A591C4FFBDD4B0C20
SHA-1: 0x25A3F09CF98F4CEA80E4C815F645F5829D2F8238
W32.Spybot.Worm [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Generic Dropper.ee [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
4 c:\RECYCLEP\Pagefile.exe
%Windir%\Help\HelpCat.exe
%Windir%\system\KavUpda.exe
[file and pathname of the sample #1]
3,950,159 bytes MD5: 0xB1CD98C768F89CA171241C285A661D6D
SHA-1: 0x164C6F77DAB5FD005F7881A7CCE8B50460F92D1C
W32.Besverit [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Generic Dropper.ee [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
5 %Windir%\regedt32.sys 2,532 bytes MD5: 0xE7D7EC66BD61FAC3843C98650B0C68F6
SHA-1: 0xA15AE06E1BE51038863650746368A71024539BAC
(not available)
6 %Windir%\Sysinf.bat 460 bytes MD5: 0x670EE8480F0FA35324126991B20A552D
SHA-1: 0xBAF54EAB6AE08DA4A6503DD224A72E153DA76045
Trojan.BAT.Starter [Ikarus]
7 %System%\Folderdir 11,776 bytes MD5: 0xCD6AE53CEC41CDFB70AE6613441D216E
SHA-1: 0x7B997500A9FDE08BB3D1DBFAD8EC0D0EAB9D2772
Trojan.Gen [Symantec]
Trojan.SuspectCRC [Ikarus]
8 %System%\Option.bat 82 bytes MD5: 0x3F7FBD2EB34892646E93FD5E6E343512
SHA-1: 0x265AC1061B54F62350FB7A5F57E566454D013A66
Trojan.BAT.KillAV.ex [Kaspersky Lab]
9 %Windir%\Tasks\At1.job 346 bytes MD5: 0xFB9739C24E9D31DA2B00BA25A279884B
SHA-1: 0xC41CB75BDFE6B46AD798E71ED826A1232B04A169
(not available)
10 %Windir%\Tasks\At10.job 334 bytes MD5: 0xA415A6F80FAD6004E9A5B3760F66F11F
SHA-1: 0x42A40D68700E30D04CA8ED2809EC1AB5CC61EDD3
(not available)
11 %Windir%\Tasks\At11.job 334 bytes MD5: 0x156862F581870F88C72524EDF606C816
SHA-1: 0x87BC0026AA4A93283C3F93171388E51F8A79988A
(not available)
12 %Windir%\Tasks\At12.job 334 bytes MD5: 0x29BC953E148E3884A918EE371CC24F2F
SHA-1: 0x3E4E62471BE94CC73DE78FC2F6DF7D4D325959CF
(not available)
13 %Windir%\Tasks\At13.job 334 bytes MD5: 0xCF00976F02AA502F144D61952D678FE3
SHA-1: 0x17B8E86FE102C30854F92562C9696D11983252B1
(not available)
14 %Windir%\Tasks\At14.job 334 bytes MD5: 0x2A7A42A6521B0DE5B3DBD27A8DE581B0
SHA-1: 0x7BEE71634706D1A908E36F96C131B33B6DB42B42
(not available)
15 %Windir%\Tasks\At15.job 334 bytes MD5: 0x1094E9AAAD5B9BB1D4A22B6C9BFD0D31
SHA-1: 0xA396C07F16D66EED5B9A2B21DB4E5E3C59CEE992
(not available)
16 %Windir%\Tasks\At16.job 346 bytes MD5: 0x95B378F49CAA28840B9F3E140EB4E457
SHA-1: 0x79B91C64A9D3E4F69FD41FA664F533FB89C83A69
(not available)
17 %Windir%\Tasks\At17.job 346 bytes MD5: 0x5A2E5ABEFC53D30914FDF1FB9E25A67E
SHA-1: 0xDEC9A337B07D42FD9D329DA3E18AC705E453CFD8
(not available)
18 %Windir%\Tasks\At18.job 346 bytes MD5: 0x7D515BCFFABE965855E9F098D9580CF7
SHA-1: 0xB87282108165A0BD4C229D9D03BDFBEEF2F06AB7
(not available)
19 %Windir%\Tasks\At19.job 334 bytes MD5: 0xDBD0109CB8A5EAAE82BC45D325E9BABC
SHA-1: 0x5980E49D41F4C69FBBAFEA17FE1318C7B4069B17
(not available)
20 %Windir%\Tasks\At2.job 334 bytes MD5: 0x71B86C5FCEF3531F08B0EDEBCB282E95
SHA-1: 0xA956EEF998091E238F12FE04B090A67E9CB78F98
(not available)
21 %Windir%\Tasks\At20.job 334 bytes MD5: 0x3CDF215A8C6A4F821E0AEB716ADFF07C
SHA-1: 0x498F3F3C17950D84403350A1E84E4208B31B67B7
(not available)
22 %Windir%\Tasks\At21.job 334 bytes MD5: 0x96F57AF372740D90E6CFCBDF658D4516
SHA-1: 0x4C5198D3CB928D076DE3747C4B957E507AAA1C22
(not available)
23 %Windir%\Tasks\At22.job 334 bytes MD5: 0x57F65F970FEB5BAFD10372515E98D434
SHA-1: 0xDF6C9ED2691911F6EEFE70B8F04FC2323D789BDA
(not available)
24 %Windir%\Tasks\At23.job 334 bytes MD5: 0xCE6B154BCF06178AB832B26CD8091741
SHA-1: 0x63BCC7CFBC6C531D46F23C59327D241859AC3194
(not available)
25 %Windir%\Tasks\At24.job 334 bytes MD5: 0x3742DB14A8BC7DA5F808E2EEA403F5E9
SHA-1: 0xE36B6C73C6495851BD329763120C4C0D48861EAA
(not available)
26 %Windir%\Tasks\At3.job 334 bytes MD5: 0xFBA5B1769AE979334BABC24335CF7626
SHA-1: 0x16A6C93D7A88504331BD8B9E6F519FCF1AC8132C
(not available)
27 %Windir%\Tasks\At4.job 346 bytes MD5: 0x5A5052109F176CDEA3DCB995453B6F0E
SHA-1: 0xBF6402F84D9B340EE179FABF33DBE6ACC63AFEE0
(not available)
28 %Windir%\Tasks\At5.job 334 bytes MD5: 0x1C303D59BC7355364A9842D575B5A3F7
SHA-1: 0x8D01A81759CA0C4B8863EA33CD8D1EC32412A9BD
(not available)
29 %Windir%\Tasks\At6.job 334 bytes MD5: 0x0B4BD167E3022CBA93B5A33D4265ADBE
SHA-1: 0x49983A831BD9B10EBACEA80774A2DE0141AC47E3
(not available)
30 %Windir%\Tasks\At7.job 346 bytes MD5: 0x9D653C44F4E68BA9F65158D6C4DE11EF
SHA-1: 0xEE7088AFEE135C12AFD2F9A2199442D7A8E5262E
(not available)
31 %Windir%\Tasks\At8.job 346 bytes MD5: 0x8AD483E50714F56C8869F3BB4843DCC1
SHA-1: 0x62846BADFFDAFD7E240D248C5B342D799F3192CE
(not available)
32 %Windir%\Tasks\At9.job 346 bytes MD5: 0x7CF3316D8F79919A3C0FDAB7493F7A15
SHA-1: 0xCBFC9B1A583932FB1083D5C0E2FF1BDF2764693E
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]262,144 bytes
KavUpda.exe%Windir%\system\kavupda.exe262,144 bytes
pagefile.exec:\recyclep\pagefile.exe262,144 bytes
helpcat.exe%Windir%\help\helpcat.exe262,144 bytes

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs
wuauservAutomatic Updates"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

China

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.