Submission Summary:

What's been foundSeverity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Worm.Mevon.A Worm.Mevon.A is a worm which propagates via removable drives. It disables execution of certain normal applications.

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A network-aware worm that attempts to replicate across the existing network(s)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\Autorun.inf 237 bytes MD5: 0x94BCD02C5AFD5918B4446345E7A5DED9
SHA-1: 0x79839238E84BE225132E1382FAE6333DFC4906A1
Generic!atr [McAfee]
Mal/AutoInf-A [Sophos]
Worm.Win32.AutoRun [Ikarus]
2 c:\ntldr~6 2,997,595 bytes MD5: 0xA8402E7E872E79B3721B5A9895B91280
SHA-1: 0x7105A5DD82A13D6665223ABB210E02D8A6675EE3
W32.Besverit [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Suspect-BN!A8402E7E872E [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB.eex [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
3 c:\ntldr~8 2,997,595 bytes MD5: 0x6D5AF02144BA3F99EE4540DAA7F2EE5D
SHA-1: 0x5E72BE60BFC526E0574DA27AEE636B347FDD8D23
W32.Spybot.Worm [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Generic Dropper.ee [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
4 c:\RECYCLEP\Pagefile.exe
%Windir%\Help\HelpCat.exe
%Windir%\system\KavUpda.exe
[file and pathname of the sample #1]
2,997,595 bytes MD5: 0xC6E35907CEC6AF0AF937D7D3D522181B
SHA-1: 0x5FBAE3D51CFE998476788D1AFD4E3B9737EDF235
W32.Besverit [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Generic Dropper.ee [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
5 %Windir%\regedt32.sys 2,532 bytes MD5: 0xE7D7EC66BD61FAC3843C98650B0C68F6
SHA-1: 0xA15AE06E1BE51038863650746368A71024539BAC
(not available)
6 %Windir%\Sysinf.bat 460 bytes MD5: 0x670EE8480F0FA35324126991B20A552D
SHA-1: 0xBAF54EAB6AE08DA4A6503DD224A72E153DA76045
Trojan.BAT.Starter [Ikarus]
7 %System%\Folderdir 11,776 bytes MD5: 0xCD6AE53CEC41CDFB70AE6613441D216E
SHA-1: 0x7B997500A9FDE08BB3D1DBFAD8EC0D0EAB9D2772
Trojan.Gen [Symantec]
Trojan.SuspectCRC [Ikarus]
8 %System%\Option.bat 82 bytes MD5: 0x3F7FBD2EB34892646E93FD5E6E343512
SHA-1: 0x265AC1061B54F62350FB7A5F57E566454D013A66
Trojan.BAT.KillAV.ex [Kaspersky Lab]
9 %Windir%\Tasks\At1.job 346 bytes MD5: 0xFCD2ED16BD8FF5490D442A55194D5102
SHA-1: 0xEC04251BD36B26A222653999CBE8C25502F8364A
(not available)
10 %Windir%\Tasks\At10.job 346 bytes MD5: 0x82D41C0420D5C5838F4325CAF044A7C1
SHA-1: 0x2C7D5630058EE6C61D40A6EB18BBF0F263F00BC5
(not available)
11 %Windir%\Tasks\At11.job 334 bytes MD5: 0xB6FB9E62F62A7A5AC6F99F3B44DB9163
SHA-1: 0xF40CBF1D0ED0B722E33EF3A8F12F7E96AC67B7A1
(not available)
12 %Windir%\Tasks\At12.job 334 bytes MD5: 0x704B42CCD103DE5E50D09C076EF27528
SHA-1: 0x4871BE097A0D8502EC7812FF973F086879875041
(not available)
13 %Windir%\Tasks\At13.job 334 bytes MD5: 0xC6F5E0990683992A278F622ED2190E54
SHA-1: 0x03F9862559CD024834E7DCDE419D4C9CD5B27587
(not available)
14 %Windir%\Tasks\At14.job 334 bytes MD5: 0x73D8B3984D726EB0ABAE28E72FB7B3D2
SHA-1: 0xB88A94371DCE1A831BE4318B01A8469F63222F22
(not available)
15 %Windir%\Tasks\At15.job 334 bytes MD5: 0xAF0F2F54FF44831B4BF95F315A85E132
SHA-1: 0xE24387B498B2FB5B9BC7A3E9F2003EA16CF3645A
(not available)
16 %Windir%\Tasks\At16.job 346 bytes MD5: 0x5B957247FF0EE3CE9135FFD90795668A
SHA-1: 0x941A10FCD5D0379105F65D984931B0F27985EFD7
(not available)
17 %Windir%\Tasks\At17.job 346 bytes MD5: 0xB7B3C6D20A21C70F33D5DA026E9A8198
SHA-1: 0x175DC642834D416ED8424B9BCCA04E06D2151284
(not available)
18 %Windir%\Tasks\At18.job 334 bytes MD5: 0x0EB9851CCF7A1B6CEF7147057397B77F
SHA-1: 0xD9785A886957032A81E717E6920CCDAC4506FCCE
(not available)
19 %Windir%\Tasks\At19.job 334 bytes MD5: 0x4ABB661293A14E78E14AF7E00FA4536A
SHA-1: 0xE534E0660951BD22446AFB234EC1ACBF5C739712
(not available)
20 %Windir%\Tasks\At2.job 334 bytes MD5: 0x584C1B947FFD075CD4E80EDE907C2590
SHA-1: 0x35A1677997C23FAAD4BBE62DC601C272EB00DA4D
(not available)
21 %Windir%\Tasks\At20.job 346 bytes MD5: 0x4488272D37CFF4D53886C6CFCE96B924
SHA-1: 0x24BEC5F10789E5B3C7B0D957516CCB729B7FF562
(not available)
22 %Windir%\Tasks\At21.job 334 bytes MD5: 0xBF5F16305776F0BE9B886AB013BCBCC1
SHA-1: 0xC24C7AA6102F17DC838C0F3C76DACD6638D8AB77
(not available)
23 %Windir%\Tasks\At22.job 334 bytes MD5: 0x97DE64B307654C234771399DE235B21C
SHA-1: 0xDBA7C79381A3BDA26DC2659358112F3D205A8BB8
(not available)
24 %Windir%\Tasks\At23.job 334 bytes MD5: 0x5AED8D6A41C6108E4765F54EB861E5B5
SHA-1: 0xAC084F5EF392F7AEECA947A37D5D36238DD228F0
(not available)
25 %Windir%\Tasks\At24.job 334 bytes MD5: 0x0AD06B199C3F15B4469B36B11569EE1D
SHA-1: 0x309A8E2D6B0CB87CDBA2258BC3A62EB1D6B36AED
(not available)
26 %Windir%\Tasks\At3.job 334 bytes MD5: 0x8CF00D99F4685CC0E5C77ACFA87E487B
SHA-1: 0xF9CB924AC8CB9ABA1522EC9349B0D8DC5C4A22EC
(not available)
27 %Windir%\Tasks\At4.job 346 bytes MD5: 0xDB8D4802E57F377CCCF800BE3829968F
SHA-1: 0x788173001D6C8E806FB8F176A83A8C3D64B23DF4
(not available)
28 %Windir%\Tasks\At5.job 334 bytes MD5: 0xE60C11B3275446168E212E501AFC83D2
SHA-1: 0xFFD366D9ED23BEBF143A27C0A061B26ACB1E3133
(not available)
29 %Windir%\Tasks\At6.job 334 bytes MD5: 0xBA8DFF9E789B8127DE74CC10759F6D51
SHA-1: 0x3CD2A1CAB2B1ABFE189B009663F438D10E6306DB
(not available)
30 %Windir%\Tasks\At7.job 346 bytes MD5: 0x57A3A1102AB1B01E43610E99D0DDA5BB
SHA-1: 0xBA9589610478B4B86CC41F2CF8854E1A214B0FE1
(not available)
31 %Windir%\Tasks\At8.job 346 bytes MD5: 0x237ED0A4D7EFFB999BA5207CC92E8298
SHA-1: 0x3EF3E796E7467D57F61674B8217F39C47A043734
(not available)
32 %Windir%\Tasks\At9.job 334 bytes MD5: 0x9DE2D13C13B2AD8B159AC9E1E69BE810
SHA-1: 0xDB7150633721B11580251082EC6ADAB27CF1B3CA
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]262,144 bytes
KavUpda.exe%Windir%\system\kavupda.exe262,144 bytes
pagefile.exec:\recyclep\pagefile.exe262,144 bytes
helpcat.exe%Windir%\help\helpcat.exe262,144 bytes

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs
wuauservAutomatic Updates"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

China

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.