Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Modifies some system settings that may have negative impact on overall system security state.
Creates a startup registry entry.
Contains characteristics of an identified security risk.


Technical Details:


Possible Security Risk

Security RiskDescription
Worm.AutoRun!sd5 Worm.AutoRun!sd5 is a network-aware worm that attempts to replicate across the existing network.
Trojan-Spy.Gampass!sd5 Trojan-Spy.Gampass!sd5 is a malicious application that attempts to steal passwords, login details, and other confidential information.
Trojan-PWS.Onlinegames.BS Trojan.PWS.Onlinegames.BS is a Trojan that will start itself automatically and steal passwords of onlinegames on the infected machines.
Trojan-PWS.OnlineGames.ARun Trojan-PWS.OnlineGames.ARun attempts to steal password information associated to popular online games such as MapleStory, Legend of Mir and World of Warcraft. It has the ability to spread itself via removable disk such as USB drives.

Threat CategoryDescription
A network-aware worm that attempts to replicate across the existing network(s)
A spyware program that represents security risk for a local system
A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)


File System Modifications

#Filename(s)File SizeFile HashAlias
1 c:\autorun.inf 446 bytes MD5: 0x68EB502933C807342A707AA9BA2883F3
SHA-1: 0x77AF0788B6CEC622B8D2748495AD0D9875868F24
Worm.Win32.AutoRun.dgt [Kaspersky Lab]
2 %Temp%\as8ffpas.dll 26,754 bytes MD5: 0x6E67D9C326AFCE81084642D52EA11D87
SHA-1: 0x38489CA06423CBA6CA2A0469DCA78191457F2190
Trojan.Lineage.Gen!Pac.3 [PCTools]
Bloodhound.Packed.Jmp [Symantec]
Trojan-PSW.Win32.OnLineGames.xme [Kaspersky Lab]
3 %Temp%\cmctva4c.dll 27,002 bytes MD5: 0x8D72B6A51965CEF403F403C6A8C79293
SHA-1: 0x468CACD45EB9C3F6BF45FFD2B926B36C5F69E3C2
Worm.AutoRun!sd5 [PCTools]
Bloodhound.Packed.Jmp [Symantec]
Worm.Win32.AutoRun.des [Kaspersky Lab]
4 %Temp%\help(1).exe 103,704 bytes MD5: 0xCA40D0EB565C234DEE5D24E9A104C4AD
SHA-1: 0xB86F9D7F30CCA4BB823FEB56C2A3632CE470C15E
Worm.AutoRun!sd5 [PCTools]
W32.Gammima.AG [Symantec]
Worm.Win32.AutoRun.des [Kaspersky Lab]
W32/Autorun.worm.bx.gen [McAfee]
5 c:\mvxm.cmd
103,182 bytes MD5: 0xF03A579C6C135CD8DBFA9EBA8A415D23
SHA-1: 0xA7F01D2C7387DBFB4376F1A9E022FAFED9D9BC92
Trojan-Spy.Gampass!sd5 [PCTools]
Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.OnLineGames.ywg [Kaspersky Lab]
PWS-Mmorpg.gen [McAfee]
6 %System%\amvo1.dll 70,656 bytes MD5: 0x79FA22A23B98E04EE1AEA1634A849793
SHA-1: 0x1F935EE1120D6211EFB759FA1F60E05848C4B6F3
Trojan.Lineage.Gen!Pac.3 [PCTools]
Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.OnLineGames.ywf [Kaspersky Lab]
PWS-LegMir.gen.k.dll [McAfee]
7 [file and pathname of the sample #1] 251,983 bytes MD5: 0x674B1FB905E60047722A123333FFB900
SHA-1: 0xBC4650629D40B6FDA838E378B6BBF266509C01F6
Worm.Win32.AutoRun.des, Trojan-PSW.Win32.OnLineGames.ywg [Kaspersky Lab]


Memory Modifications

Process NameProcess FilenameMain Module Size
amvo.exe%System%\amvo.exe196,608 bytes
help(1).exe%Temp%\help(1).exe196,608 bytes
[filename of the sample #1][file and pathname of the sample #1]45,056 bytes
help.exe%Temp%\help.exe196,608 bytes

Module NameModule FilenameAddress Space Details
amvo1.dll%System%\amvo1.dllProcess name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0xD80000 - 0xDA2000


Registry Modifications


Other details

URL to be downloadedFilename for the downloaded bits\help.rar



All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2015 ThreatExpert. All rights reserved.