Submission Summary:

• Submission details:
• Submission received: 8 May 2008, 17:49:05
• Processing time: 3 min 49 sec
• Submitted sample:
• File MD5: 0x674B1FB905E60047722A123333FFB900
• File SHA-1: 0xBC4650629D40B6FDA838E378B6BBF266509C01F6
• Filesize: 251,983 bytes
• Alias: Worm.Win32.AutoRun.des, Trojan-PSW.Win32.OnLineGames.ywg [Kaspersky Lab]

• Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Worm.AutoRun!sd5	Worm.AutoRun!sd5 is a network-aware worm that attempts to replicate across the existing network.
Trojan-Spy.Gampass!sd5	Trojan-Spy.Gampass!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.
Trojan-PWS.Onlinegames.BS	Trojan.PWS.Onlinegames.BS is a Trojan that will start itself automatically and steal passwords of onlinegames on the infected machines.
Trojan-PWS.OnlineGames.ARun	Trojan-PWS.OnlineGames.ARun attempts to steal password information associated to popular online games such as MapleStory, Legend of Mir and World of Warcraft. It has the ability to spread itself via removable disk such as USB drives.

• Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A spyware program that represents security risk for a local system
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	c:\autorun.inf	446 bytes	MD5: 0x68EB502933C807342A707AA9BA2883F3 SHA-1: 0x77AF0788B6CEC622B8D2748495AD0D9875868F24	Worm.Win32.AutoRun.dgt [Kaspersky Lab]
2	%Temp%\as8ffpas.dll	26,754 bytes	MD5: 0x6E67D9C326AFCE81084642D52EA11D87 SHA-1: 0x38489CA06423CBA6CA2A0469DCA78191457F2190	Trojan.Lineage.Gen!Pac.3 [PCTools] Bloodhound.Packed.Jmp [Symantec] Trojan-PSW.Win32.OnLineGames.xme [Kaspersky Lab] TSPY_ONLINEGA.FF [Trend Micro]
3	%Temp%\cmctva4c.dll	27,002 bytes	MD5: 0x8D72B6A51965CEF403F403C6A8C79293 SHA-1: 0x468CACD45EB9C3F6BF45FFD2B926B36C5F69E3C2	Worm.AutoRun!sd5 [PCTools] Bloodhound.Packed.Jmp [Symantec] Worm.Win32.AutoRun.des [Kaspersky Lab] WORM_AUTORUN.AWM [Trend Micro]
4	%Temp%\help(1).exe	103,704 bytes	MD5: 0xCA40D0EB565C234DEE5D24E9A104C4AD SHA-1: 0xB86F9D7F30CCA4BB823FEB56C2A3632CE470C15E	Worm.AutoRun!sd5 [PCTools] W32.Gammima.AG [Symantec] Worm.Win32.AutoRun.des [Kaspersky Lab] W32/Autorun.worm.bx.gen [McAfee] WORM_AUTORUN.ANC [Trend Micro]
5	c:\mvxm.cmd %System%\amvo.exe	103,182 bytes	MD5: 0xF03A579C6C135CD8DBFA9EBA8A415D23 SHA-1: 0xA7F01D2C7387DBFB4376F1A9E022FAFED9D9BC92	Trojan-Spy.Gampass!sd5 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.ywg [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] TSPY_ONLINEG.ABH [Trend Micro]
6	%System%\amvo1.dll	70,656 bytes	MD5: 0x79FA22A23B98E04EE1AEA1634A849793 SHA-1: 0x1F935EE1120D6211EFB759FA1F60E05848C4B6F3	Trojan.Lineage.Gen!Pac.3 [PCTools] Infostealer.Gampass [Symantec] Trojan-PSW.Win32.OnLineGames.ywf [Kaspersky Lab] PWS-LegMir.gen.k.dll [McAfee] TSPY_ONLINEG.KTP [Trend Micro]
7	[file and pathname of the sample #1]	251,983 bytes	MD5: 0x674B1FB905E60047722A123333FFB900 SHA-1: 0xBC4650629D40B6FDA838E378B6BBF266509C01F6	Worm.Win32.AutoRun.des, Trojan-PSW.Win32.OnLineGames.ywg [Kaspersky Lab]

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
amvo.exe	%System%\amvo.exe	196,608 bytes
help(1).exe	%Temp%\help(1).exe	196,608 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	45,056 bytes
help.exe	%Temp%\help.exe	196,608 bytes

• The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
amvo1.dll	%System%\amvo1.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0xD80000 - 0xDA2000

• Notes:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Registry Modifications

• The newly created Registry Value is:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• amva = "%System%\amvo.exe"

so that amvo.exe runs every time Windows starts

• The following Registry Value was modified:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
• CheckedValue = 0x00000000

so that hidden files and folders are not displayed in explorer when browsing the file system

Other details

• The following Internet download was started (the retrieved bits are saved into the local file):