F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Sumom.A

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:Sumom.A
ALIAS:IM-Worm.Win32.Sumom.a, W32.Serflog.A, Serflog
SIZE:17429

Summary

Sumom is an IM (Instant Messaging) worm that appeared on March 7th, 2005. This worm spreads using MSN Messenger and P2P (peer-to-peer) networks. It can also copy itself to CD-Rs. The Sumom worm contains a message to the author of Assiral worm.

Disinfection

The worm makes every effort to protect its files from being removed. To disinfect the worm using F-Secure Anti-Virus please set 'Rename Automatically' disinfection action to On Access Scanner (OAS) and restart a computer. After restart all activated worm's files will be renamed. Then F-Secure Anti-Virus can be instructed to delete the infected files like shown on this page:

http://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec...

Manual disinfection requires booting a computer to Safe Mode and deleting all the worm's files from a hard disk.

Back to the Top


Detailed Description

The worm's file is a PE executable file about 17 kilobytes long packed with Mew file compressor. The unpacked file's size is over 155 kilobytes. The worm is written in Visual Basic.

Installation to system

When the worm's file is run, it installs itself to system. It copies itself as 'msmbw.exe' file to Windows folder and as 'formatsys.exe' and 'serbw.exe' files to Window System folder. The worm then creates a startup key for one of its dropped files: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "<value>" = "%winsysdir%\serbw.exe"

where <value> can be one of the following: 

 ltwob
 serpe
 avnort

Additionally the worm copies itself to the root of C: drive with the following names: 

 lspt.exe
 Crazy frog gets killed by train!.pif
 Annoying crazy frog getting killed.pif
 See my lesbian friends.pif
 LOL that ur pic!.pif
 My new photo!.pif
 Me on holiday!.pif
 The Cat And The Fan piccy.pif
 How a Blonde Eats a Banana...pif
 Mona Lisa Wants Her Smile Back.pif
 Topless in Mini Skirt! lol.pif
 Fat Elvis! lol.pif
 Jennifer Lopez.scr

Also the worm drops the following files to the root of C: drive: 

 Message to n00b LARISSA.txt
 Crazy-Frog.Html

The 'Message to n00b LARISSA.txt' contains a very rude message to the author of Assiral worm. This message can be opened in Notepad. The 'Crazy-Frog.Html' is opened in a web browser after the worm starts.

The worm does not allow to delete its files. If any of its files gets deleted, the worm copies it back to a hard drive after a few seconds.

Spreading via MSN Messenger

The worm is capable of spreading itself in Instant Messages to all MSN Messenger contacts found on an infected computer.

Spreading to P2P networks

The worm attempts to spread in peer-to-peer networks. It copies itself to the 'My Shared Folder', 'Program Files\eMule\Incoming' and 'Shared' folder of a current user under 'Documents and Settings' folder with the following names: 

 Messenger Plus! 3.50.exe
 MSN all version polygamy.exe
 MSN nudge bomb.exe

When someone gets access to these shared folders, downloads and runs any of these files, then his computer becomes infected.

Spreading to CD-Rs

The worm also copies itself as 'autorun.exe' file to the current user's 'Local Settings\Application Data\Microsoft\CD Burning' folder and creates the 'autorun.inf' file that contains instructions to run the 'autorun.exe' file when the media is inserted into a drive. As a result, when a user burns a CD-R, it becomes infected and can infect other computers if used there.

Payload

The worm has a set of payloads. First, it disables System Restore and its configuration option. Then it configures Windows Explorer not to show hidden files. The 'MSLARISSA.pif' file gets deleted (if present) when the worm starts.

When active in memory, the worm kills processes with the following names: 

 avengine.exe
 apvxdwin.exe
 atupdater.exe
 aupdate.exe
 autodown.exe
 autotrace.exe
 autoupdate.exe
 avconsol.exe
 avsynmgr.exe
 avwupd32.exe
 avxquar.exe
 bawindo.exe
 blackd.exe
 ccapp.exe
 ccevtmgr.exe
 ccproxy.exe
 ccpxysvc.exe
 cfiaudit.exe
 defwatch.exe
 drwebupw.exe
 escanh95.exe
 escanhnt.exe
 nisum.exe
 firewall.exe
 frameworkservice.exe
 icssuppnt.exe
 icsupp95.exe
 luall.exe
 lucoms~1.exe
 mcagent.exe
 mcshield.exe
 mcupdate.exe
 mcvsescn.exe
 mcvsrte.exe
 mcvsshld.exe
 navapsvc.exe
 navapw32.exe
 nopdb.exe
 nprotect.exe
 nupgrade.exe
 outpost.exe
 pavfires.exe
 pavproxy.exe
 pavsrv50.exe
 rtvscan.exe
 rulaunch.exe
 savscan.exe
 shstat.exe
 sndsrvc.exe
 symlcsvc.exe
 Update.exe
 updaterui.exe
 vshwin32.exe
 vsstat.exe
 vstskmgr.exe
 cmd.exe
 msconfig.exe
 msdev.exe
 ollydbg.exe
 peid.exe
 petools.exe
 regedit.exe
 reshacker.exe
 taskmgr.exe
 w32dasm.exe
 winhex.exe
 wscript.exe

As a result certain security and anti-virus software as well as Windows Task Manager and Registry Editor stop working.

Additionally the worm tries to redirect locations of the following websites to the 64.233.167.104 address by modifying the HOSTS file: 

 www.symantec.com
 www.sophos.com
 www.mcafee.com
 www.viruslist.com
 www.f-secure.com
 www.avp.com
 www.kaspersky.com
 www.networkassociates.com
 www.ca.com
 www.my-etrust.com
 www.nai.com
 www.trendmicro.com
 www.grisoft.com
 securityresponse.symantec.com
 symantec.com
 sophos.com
 mcafee.com
 update.symantec.com
 liveupdate.symantecliveupdate.com
 viruslist.com
 f-secure.com
 kaspersky.com
 kaspersky-labs.com
 avp.com
 nai.com
 networkassociates.com
 ca.com
 mast.mcafee.com
 my-etrust.com
 download.mcafee.com
 dispatch.mcafee.com
 secure.nai.com
 updates.symantec.com
 us.mcafee.com
 liveupdate.symantec.com
 customer.symantec.com
 rads.mcafee.com
 trendmicro.com
 grisoft.com
 sandbox.norman.no
 www.pandasoftware.com
 uk.trendmicro-europe.com

The worm closes application windows if the following strings are found in the window captions: 

 ADWARE
 ALERTS
 AUTOSTARTED
 BENIGN
 BLOCKER
 BULLGUARD
 BUSTER
 CENTER
 -CILLIN
 CLEANER
 Command
 DESTROY
 DETECTION
 DOCTOR
 EARTHLINK
 EDITOR
 ELIMINATE
 Filter
 FIREWALL
 FIXING
 HUNTER
 LIVEUPDATE
 MALWARE
 MALWHERE
 MCAFEE
 NETCOP
 NORTON
 PROMPT
 PROTECTOR
 REGISTRY
 REMOVAL
 RESTORE
 SANDBOX
 SECURE
 SECURITY
 SOPHOS
 SPYBOT
 SPYWARE
 STOPPER
 SWEEPER
 Update
 VCATCH


Back to the Top


Detection

Detection for this malware was published on March 7th, 2005 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2005-03-07_02

Back to the Top


Technical Details: Alexey Podrezov, March 7th, 2005;

F-Secure Corporation