Threat Description

Sumom.A

Details

Aliases: Sumom.A, IM-Worm.Win32.Sumom.a, W32.Serflog.A, Serflog
Category: Malware
Type:
Platform: W32

Summary


Sumom is an IM (Instant Messaging) worm that appeared on March 7th, 2005. This worm spreads using MSN Messenger and P2P (peer-to-peer) networks. It can also copy itself to CD-Rs. The Sumom worm contains a message to the author of Assiral worm.



Removal


The worm makes every effort to protect its files from being removed. To disinfect the worm using F-Secure Anti-Virus please set 'Rename Automatically' disinfection action to On Access Scanner (OAS) and restart a computer. After restart all activated worm's files will be renamed. Then F-Secure Anti-Virus can be instructed to delete the infected files like shown on this page: http://support.f-secure.com/enu/home/virusproblem/howtoclean/howtodeleteinfec... Manual disinfection requires booting a computer to Safe Mode and deleting all the worm's files from a hard disk.



Technical Details


The worm's file is a PE executable file about 17 kilobytes long packed with Mew file compressor. The unpacked file's size is over 155 kilobytes. The worm is written in Visual Basic.

Installation to system

When the worm's file is run, it installs itself to system. It copies itself as 'msmbw.exe' file to Windows folder and as 'formatsys.exe' and 'serbw.exe' files to Window System folder. The worm then creates a startup key for one of its dropped files:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "" = "%winsysdir%\serbw.exe"   

where <value> can be one of the following:

ltwob  serpe  avnort   

Additionally the worm copies itself to the root of C: drive with the following names:

lspt.exe  Crazy frog gets killed by train!.pif  Annoying crazy frog getting killed.pif  See my lesbian friends.pif  LOL that ur pic!.pif  My new photo!.pif  Me on holiday!.pif  The Cat And The Fan piccy.pif  How a Blonde Eats a Banana...pif  Mona Lisa Wants Her Smile Back.pif  Topless in Mini Skirt! lol.pif  Fat Elvis! lol.pif  Jennifer Lopez.scr   

Also the worm drops the following files to the root of C: drive:

Message to n00b LARISSA.txt  Crazy-Frog.Html   

The 'Message to n00b LARISSA.txt' contains a very rude message to the author of Assiral worm. This message can be opened in Notepad. The 'Crazy-Frog.Html' is opened in a web browser after the worm starts.The worm does not allow to delete its files. If any of its files gets deleted, the worm copies it back to a hard drive after a few seconds.

Spreading via MSN Messenger

The worm is capable of spreading itself in Instant Messages to all MSN Messenger contacts found on an infected computer.

Spreading to P2P networks

The worm attempts to spread in peer-to-peer networks. It copies itself to the 'My Shared Folder', 'Program Files\eMule\Incoming' and 'Shared' folder of a current user under 'Documents and Settings' folder with the following names:

Messenger Plus! 3.50.exe  MSN all version polygamy.exe  MSN nudge bomb.exe   

When someone gets access to these shared folders, downloads and runs any of these files, then his computer becomes infected.

Spreading to CD-Rs

The worm also copies itself as 'autorun.exe' file to the current user's 'Local Settings\Application Data\Microsoft\CD Burning' folder and creates the 'autorun.inf' file that contains instructions to run the 'autorun.exe' file when the media is inserted into a drive. As a result, when a user burns a CD-R, it becomes infected and can infect other computers if used there.

Payload

The worm has a set of payloads. First, it disables System Restore and its configuration option. Then it configures Windows Explorer not to show hidden files. The 'MSLARISSA.pif' file gets deleted (if present) when the worm starts.When active in memory, the worm kills processes with the following names:

avengine.exe  apvxdwin.exe  atupdater.exe  aupdate.exe  autodown.exe  autotrace.exe  autoupdate.exe  avconsol.exe  avsynmgr.exe  avwupd32.exe  avxquar.exe  bawindo.exe  blackd.exe  ccapp.exe  ccevtmgr.exe  ccproxy.exe  ccpxysvc.exe  cfiaudit.exe  defwatch.exe  drwebupw.exe  escanh95.exe  escanhnt.exe  nisum.exe  firewall.exe  frameworkservice.exe  icssuppnt.exe  icsupp95.exe  luall.exe  lucoms~1.exe  mcagent.exe  mcshield.exe  mcupdate.exe  mcvsescn.exe  mcvsrte.exe  mcvsshld.exe  navapsvc.exe  navapw32.exe  nopdb.exe  nprotect.exe  nupgrade.exe  outpost.exe  pavfires.exe  pavproxy.exe  pavsrv50.exe  rtvscan.exe  rulaunch.exe  savscan.exe  shstat.exe  sndsrvc.exe  symlcsvc.exe  Update.exe  updaterui.exe  vshwin32.exe  vsstat.exe  vstskmgr.exe  cmd.exe  msconfig.exe  msdev.exe  ollydbg.exe  peid.exe  petools.exe  regedit.exe  reshacker.exe  taskmgr.exe  w32dasm.exe  winhex.exe  wscript.exe   

As a result certain security and anti-virus software as well as Windows Task Manager and Registry Editor stop working.Additionally the worm tries to redirect locations of the following websites to the 64.233.167.104 address by modifying the HOSTS file:

www.symantec.com  www.sophos.com  www.mcafee.com  www.viruslist.com  www.f-secure.com  www.avp.com  www.kaspersky.com  www.networkassociates.com  www.ca.com  www.my-etrust.com  www.nai.com  www.trendmicro.com  www.grisoft.com  securityresponse.symantec.com  symantec.com  sophos.com  mcafee.com  update.symantec.com  liveupdate.symantecliveupdate.com  viruslist.com  f-secure.com  kaspersky.com  kaspersky-labs.com  avp.com  nai.com  networkassociates.com  ca.com  mast.mcafee.com  my-etrust.com  download.mcafee.com  dispatch.mcafee.com  secure.nai.com  updates.symantec.com  us.mcafee.com  liveupdate.symantec.com  customer.symantec.com  rads.mcafee.com  trendmicro.com  grisoft.com  sandbox.norman.no  www.pandasoftware.com  uk.trendmicro-europe.com   

The worm closes application windows if the following strings are found in the window captions:

ADWARE  ALERTS  AUTOSTARTED  BENIGN  BLOCKER  BULLGUARD  BUSTER  CENTER  -CILLIN  CLEANER  Command  DESTROY  DETECTION  DOCTOR  EARTHLINK  EDITOR  ELIMINATE  Filter  FIREWALL  FIXING  HUNTER  LIVEUPDATE  MALWARE  MALWHERE  MCAFEE  NETCOP  NORTON  PROMPT  PROTECTOR  REGISTRY  REMOVAL  RESTORE  SANDBOX  SECURE  SECURITY  SOPHOS  SPYBOT  SPYWARE  STOPPER  SWEEPER  Update  VCATCH   


Detection


Detection for this malware was published on March 7th, 2005 in the following F-Secure Anti-Virus updates:

Detection Type: PC
Database: 2005-03-07_02



Description Details: Alexey Podrezov, March 7th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More