Sumom is an IM (Instant Messaging) worm that appeared on March 7th, 2005. This worm spreads using MSN Messenger and P2P (peer-to-peer) networks. It can also copy itself to CD-Rs. The Sumom worm contains a message to the author of Assiral worm.
The worm makes every effort to protect its files from being removed. To disinfect the worm using F-Secure Anti-Virus please set 'Rename Automatically' disinfection action to On Access Scanner (OAS) and restart a computer. After restart all activated worm's files will be renamed. Then F-Secure Anti-Virus can be instructed to delete the infected files like shown on this page: http://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec... Manual disinfection requires booting a computer to Safe Mode and deleting all the worm's files from a hard disk.
The worm's file is a PE executable file about 17 kilobytes long packed with Mew file compressor. The unpacked file's size is over 155 kilobytes. The worm is written in Visual Basic.
Installation to system
When the worm's file is run, it installs itself to system. It copies itself as 'msmbw.exe' file to Windows folder and as 'formatsys.exe' and 'serbw.exe' files to Window System folder. The worm then creates a startup key for one of its dropped files:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "<value>" = "%winsysdir%\serbw.exe"
where <value> can be one of the following:
ltwob serpe avnort
Additionally the worm copies itself to the root of C: drive with the following names:
lspt.exe Crazy frog gets killed by train!.pif Annoying crazy frog getting killed.pif See my lesbian friends.pif LOL that ur pic!.pif My new photo!.pif Me on holiday!.pif The Cat And The Fan piccy.pif How a Blonde Eats a Banana...pif Mona Lisa Wants Her Smile Back.pif Topless in Mini Skirt! lol.pif Fat Elvis! lol.pif Jennifer Lopez.scr
Also the worm drops the following files to the root of C: drive:
Message to n00b LARISSA.txt Crazy-Frog.Html
The 'Message to n00b LARISSA.txt' contains a very rude message to the author of Assiral worm. This message can be opened in Notepad. The 'Crazy-Frog.Html' is opened in a web browser after the worm starts.The worm does not allow to delete its files. If any of its files gets deleted, the worm copies it back to a hard drive after a few seconds.
Spreading via MSN Messenger
The worm is capable of spreading itself in Instant Messages to all MSN Messenger contacts found on an infected computer.
Spreading to P2P networks
The worm attempts to spread in peer-to-peer networks. It copies itself to the 'My Shared Folder', 'Program Files\eMule\Incoming' and 'Shared' folder of a current user under 'Documents and Settings' folder with the following names:
Messenger Plus! 3.50.exe MSN all version polygamy.exe MSN nudge bomb.exe
When someone gets access to these shared folders, downloads and runs any of these files, then his computer becomes infected.
Spreading to CD-Rs
The worm also copies itself as 'autorun.exe' file to the current user's 'Local Settings\Application Data\Microsoft\CD Burning' folder and creates the 'autorun.inf' file that contains instructions to run the 'autorun.exe' file when the media is inserted into a drive. As a result, when a user burns a CD-R, it becomes infected and can infect other computers if used there.
The worm has a set of payloads. First, it disables System Restore and its configuration option. Then it configures Windows Explorer not to show hidden files. The 'MSLARISSA.pif' file gets deleted (if present) when the worm starts.When active in memory, the worm kills processes with the following names:
avengine.exe apvxdwin.exe atupdater.exe aupdate.exe autodown.exe autotrace.exe autoupdate.exe avconsol.exe avsynmgr.exe avwupd32.exe avxquar.exe bawindo.exe blackd.exe ccapp.exe ccevtmgr.exe ccproxy.exe ccpxysvc.exe cfiaudit.exe defwatch.exe drwebupw.exe escanh95.exe escanhnt.exe nisum.exe firewall.exe frameworkservice.exe icssuppnt.exe icsupp95.exe luall.exe lucoms~1.exe mcagent.exe mcshield.exe mcupdate.exe mcvsescn.exe mcvsrte.exe mcvsshld.exe navapsvc.exe navapw32.exe nopdb.exe nprotect.exe nupgrade.exe outpost.exe pavfires.exe pavproxy.exe pavsrv50.exe rtvscan.exe rulaunch.exe savscan.exe shstat.exe sndsrvc.exe symlcsvc.exe Update.exe updaterui.exe vshwin32.exe vsstat.exe vstskmgr.exe cmd.exe msconfig.exe msdev.exe ollydbg.exe peid.exe petools.exe regedit.exe reshacker.exe taskmgr.exe w32dasm.exe winhex.exe wscript.exe
As a result certain security and anti-virus software as well as Windows Task Manager and Registry Editor stop working.Additionally the worm tries to redirect locations of the following websites to the 126.96.36.199 address by modifying the HOSTS file:
www.symantec.com www.sophos.com www.mcafee.com www.viruslist.com www.f-secure.com www.avp.com www.kaspersky.com www.networkassociates.com www.ca.com www.my-etrust.com www.nai.com www.trendmicro.com www.grisoft.com securityresponse.symantec.com symantec.com sophos.com mcafee.com update.symantec.com liveupdate.symantecliveupdate.com viruslist.com f-secure.com kaspersky.com kaspersky-labs.com avp.com nai.com networkassociates.com ca.com mast.mcafee.com my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com grisoft.com sandbox.norman.no www.pandasoftware.com uk.trendmicro-europe.com
The worm closes application windows if the following strings are found in the window captions:
ADWARE ALERTS AUTOSTARTED BENIGN BLOCKER BULLGUARD BUSTER CENTER -CILLIN CLEANER Command DESTROY DETECTION DOCTOR EARTHLINK EDITOR ELIMINATE Filter FIREWALL FIXING HUNTER LIVEUPDATE MALWARE MALWHERE MCAFEE NETCOP NORTON PROMPT PROTECTOR REGISTRY REMOVAL RESTORE SANDBOX SECURE SECURITY SOPHOS SPYBOT SPYWARE STOPPER SWEEPER Update VCATCH
Detection for this malware was published on March 7th, 2005 in the following F-Secure
Detection Type: PC
Description Created: Alexey Podrezov, March 7th, 2005