Submission Summary:

What's been foundSeverity Level
Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
Compromises SafeBoot registry key(s) in an attempt to disable the Safe Mode.
There were some system executable files modified, which might indicate the presence of a PE-file infector.
Contains characteristics of an identified security risk.

 

Technical Details:

 

Possible Security Risk

Security RiskDescription
Worm.Mevon.A Worm.Mevon.A is a worm which propagates via removable drives. It disables execution of certain normal applications.

Threat CategoryDescription
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body
A network-aware worm that attempts to replicate across the existing network(s)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\Autorun.inf 237 bytes MD5: 0x94BCD02C5AFD5918B4446345E7A5DED9
SHA-1: 0x79839238E84BE225132E1382FAE6333DFC4906A1
Generic!atr [McAfee]
Mal/AutoInf-A [Sophos]
Worm.Win32.AutoRun [Ikarus]
2 c:\ntldr~6 3,752,999 bytes MD5: 0xE4D73BFD1043E3AA39234368C49C6066
SHA-1: 0x2A7A0FBD419E377B1F9ECB3B3C55865CA550A33D
W32.Besverit [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Suspect-BN!E4D73BFD1043 [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB.eex [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
3 c:\ntldr~8 3,752,999 bytes MD5: 0xE25774C0537CCCF0D30C024429E65474
SHA-1: 0x2F918B56E575270198C06BE9032195E1E57D9E3A
W32.Spybot.Worm [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Generic Dropper.ee [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
4 c:\RECYCLEP\Pagefile.exe
%Windir%\Help\HelpCat.exe
%Windir%\system\KavUpda.exe
[file and pathname of the sample #1]
3,752,999 bytes MD5: 0xE876B185990FB66CADD339580BA12A80
SHA-1: 0xB59009D76CB4208E75054D5FFB63C521F38F315A
W32.Besverit [Symantec]
Virus.Win32.Lamer.el [Kaspersky Lab]
Generic Dropper.ee [McAfee]
Troj/DwnLdr-HQY [Sophos]
Trojan-Downloader.Win32.VB [Ikarus]
Win-Trojan/Xema.variant [AhnLab]
5 %Windir%\regedt32.sys 2,532 bytes MD5: 0xE7D7EC66BD61FAC3843C98650B0C68F6
SHA-1: 0xA15AE06E1BE51038863650746368A71024539BAC
(not available)
6 %Windir%\Sysinf.bat 460 bytes MD5: 0x670EE8480F0FA35324126991B20A552D
SHA-1: 0xBAF54EAB6AE08DA4A6503DD224A72E153DA76045
Trojan.BAT.Starter [Ikarus]
7 %System%\Folderdir 11,776 bytes MD5: 0xCD6AE53CEC41CDFB70AE6613441D216E
SHA-1: 0x7B997500A9FDE08BB3D1DBFAD8EC0D0EAB9D2772
Trojan.Gen [Symantec]
Trojan.SuspectCRC [Ikarus]
8 %System%\Option.bat 82 bytes MD5: 0x3F7FBD2EB34892646E93FD5E6E343512
SHA-1: 0x265AC1061B54F62350FB7A5F57E566454D013A66
Trojan.BAT.KillAV.ex [Kaspersky Lab]
9 %Windir%\Tasks\At1.job 346 bytes MD5: 0x49D66A4B10B94D67F28297EB0EC6C386
SHA-1: 0xC4677F1B8EE9FED66BB2BBF0D69862E6931553A3
(not available)
10 %Windir%\Tasks\At10.job 346 bytes MD5: 0xE55F31A25014BA4AC6CC522BEEB60E66
SHA-1: 0x019577B637B4F9AA4207704F049CF934D1A1A227
(not available)
11 %Windir%\Tasks\At11.job 334 bytes MD5: 0xB0B63B35145AEA42C59BDCD10FF9F703
SHA-1: 0x8CA279994B5A551F60BEAA8E2315EAAC28B4A87E
(not available)
12 %Windir%\Tasks\At12.job 334 bytes MD5: 0x3113E4C392BD2238B79EFD523F9AF417
SHA-1: 0x9E18C744DCB73F5B7AC4E45B5F38200C90B241F4
(not available)
13 %Windir%\Tasks\At13.job 334 bytes MD5: 0xC7429DABFAF0695D9A01A4074CA5E1F1
SHA-1: 0xE437D74659C7A9E8AB82841E6AC60B4BD5EC9C58
(not available)
14 %Windir%\Tasks\At14.job 334 bytes MD5: 0xBD54A7B2C7D0FE28F300283BB9CCC8C9
SHA-1: 0x7254B637F0F4CDB5EBFED69D86A00EEA9D0E9A8A
(not available)
15 %Windir%\Tasks\At15.job 334 bytes MD5: 0x6D2499BA25A0F29D012497045543BDF1
SHA-1: 0xAD00C615D46BEE7542DDF96E66A7AD1FCEC318C4
(not available)
16 %Windir%\Tasks\At16.job 346 bytes MD5: 0x31ADDEAD3C09BC9EC62D6DC07F664355
SHA-1: 0x8E2E7AF7E3C7B9C1CDCBC18EB41688314FD11BDA
(not available)
17 %Windir%\Tasks\At17.job 346 bytes MD5: 0x08DEF4F8FEEF68195E6F6E69632EEFAC
SHA-1: 0x8C59D9F1A862F7E9024A30EAF86B1728D28E99C2
(not available)
18 %Windir%\Tasks\At18.job 346 bytes MD5: 0xC307805407AF736E45E2E7AB11FA29B5
SHA-1: 0x5E17C2217A6CE38FE2861484CAD7C0BFF1BF54BA
(not available)
19 %Windir%\Tasks\At19.job 334 bytes MD5: 0x6666FCEB05E11B68CE332CC848B98C6D
SHA-1: 0x737C1FA3781DE9B3A08B2BB62795575B3D6BE9EB
(not available)
20 %Windir%\Tasks\At2.job 334 bytes MD5: 0x103B995456BA571B40CC77645C6388F8
SHA-1: 0xE780B33A9A1C1BCE5E63FB92A466383AED91FACB
(not available)
21 %Windir%\Tasks\At20.job 334 bytes MD5: 0x69A6C8CDDFBDA1A589BCEE11825BB35F
SHA-1: 0xC56B2D75F10C2DF7596702A250614C2086E2CA0A
(not available)
22 %Windir%\Tasks\At21.job 334 bytes MD5: 0x11C6C79E6161BCB0FF939FCC6066571E
SHA-1: 0x86F8275F8048C7CFCB432045DB77312A44C8AB2B
(not available)
23 %Windir%\Tasks\At22.job 334 bytes MD5: 0x6AAB9060E0382F01597E54253B3224DC
SHA-1: 0x0EE4CDB968F7E9321F78D43E09448528FF5D3AAB
(not available)
24 %Windir%\Tasks\At23.job 334 bytes MD5: 0x45E33660AA1BA5E7B7A7646A482554FB
SHA-1: 0xE33CB16958FA0BA2DE6672DA258EDD0B16DF92AA
(not available)
25 %Windir%\Tasks\At24.job 334 bytes MD5: 0x1F5CB407E774795B997631D15DF86F63
SHA-1: 0xBBDC1A0B6CDB6E5C628A1F089B2023779A362C4A
(not available)
26 %Windir%\Tasks\At3.job 334 bytes MD5: 0xA29CBAE5B3A7F56BBFF40A83611DCBBF
SHA-1: 0x881DD7A104CFCA636AFDAA1CE1C07E9694383996
(not available)
27 %Windir%\Tasks\At4.job 346 bytes MD5: 0xB9E7B2ABD54FFFF42B9F1A75FEFDA0C2
SHA-1: 0xF6A2FC680037AA85A52F1EE01FB14AB11B1BC41E
(not available)
28 %Windir%\Tasks\At5.job 334 bytes MD5: 0x9F168348537CAB00E84D7283F4AAA875
SHA-1: 0xECF055FD3EFD299B31D728FC0CB314FBC1B1CCDE
(not available)
29 %Windir%\Tasks\At6.job 334 bytes MD5: 0x0FA79EE699A19C32233E5A4B8BA6797B
SHA-1: 0x18753057884EF9CE4F9A4BA5CBFE96BD4E66D46A
(not available)
30 %Windir%\Tasks\At7.job 346 bytes MD5: 0x54C8E8BA6285534DA597449CC6DAE845
SHA-1: 0xF4CF73CF670B22712EA292ED99E3FC88DA0D0B49
(not available)
31 %Windir%\Tasks\At8.job 346 bytes MD5: 0x1207C4E23159FC37A81C72711725E2A2
SHA-1: 0xF41DD9B23BE5EEDCC9919111A258F843E4FCE3EB
(not available)
32 %Windir%\Tasks\At9.job 334 bytes MD5: 0x19A233044C47887F818A663BE4F1DBE8
SHA-1: 0x2EB19949990FC69F0843786112B57C7F2A0849EF
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]262,144 bytes
KavUpda.exe%Windir%\system\kavupda.exe262,144 bytes
pagefile.exec:\recyclep\pagefile.exe262,144 bytes
helpcat.exe%Windir%\help\helpcat.exe262,144 bytes

Service NameDisplay NameNew StatusService Filename
ALGApplication Layer Gateway Service"Stopped"%System%\alg.exe
SharedAccessWindows Firewall/Internet Connection Sharing (ICS)"Stopped"%System%\svchost.exe -k netsvcs
wscsvcSecurity Center"Stopped"%System%\svchost.exe -k netsvcs
wuauservAutomatic Updates"Stopped"%System%\svchost.exe -k netsvcs

 

Registry Modifications

 

Other details

China

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2017 ThreatExpert. All rights reserved.